Packet transmission/reception device

ABSTRACT

A packets sending/receiving apparatus, comprising: authentication and key exchange means; encryption means for producing an encryption sending data; sending condition setting management means for producing sending condition setting information for setting sending condition of the sending packets; packetization means for producing the sending packets using the encryption sending data; receiving condition setting management means for producing receiving condition setting information for setting receiving condition of the receiving packets; packets reception means for receiving the reception packets; and decoding means for decoding the reception data using the decoding key.

TECHNICAL FIELD

The present invention relates to a packets sending/receiving apparatus.More specifically, the present invention relates to a packetssending/receiving apparatus for generating packets by using encrypteddata (fox example AV data) and sending/receiving the generated packetsby using Ethernet™ which conforms to standards such as IEEE 802.3standard, a wireless LAN which conforms to standards such as IEEE 802.11standard, or the like.

BACKGROUND OF THE INVENTION

Conventionally, MPEG-TS has been encrypted end transmitted based on ascheme defined by IEC 61883-4 using IEEE 1394 standard even in generalhousehold. As an example of a scheme for encrypting and transmitting AVdata such as MPEG-TS, Digital Transmission Content protection (DTCP)scheme is defined.

The DTCP scheme is a scheme regarding protection of the contents ontransmission media such as IEEE 1394 standard, USB and the like. TheDTCP scheme is standardized by Digital Transmission LicensingAdministrator (DTLA). The DTCP scheme is described in more detail in,for example, http://www.dtcp.com, http://www.dtcp.com/data/dtcp tut.pdf,http://www.dtcp.com/data/wp spec.pdf, and a book “IEEE1394, AV kikihenoouyou (IEEE1394, Application to AV equipment)” edited by Shinji Takada,The Nikkan Kogyo Shimbun Ltd., “Chapter 8, Copy Protection”, pp.133-149.

FIG. 38 is a schematic view illustrating a transmission of MPEG-TS viatransmission media which conforms to IEEE 1394 standard by using theDTCP scheme.

In the DTCP scheme, a sending apparatus is referred to as a source 2001and a receiving apparatus is referred to as a sink 2002. Data such asencrypted MEPG-TS is transmitted from the source 2001 to the sink 2002via a network 2003.

In FIG. 38, the source 2001 is, for example, DVHS, DVD recorder, 1394loaded set top box (STB), or 1394 loaded digital Television (TV). Thesink 2002 is, for example, DVHS, DVD recorder, 1394 loaded set top box(STB), or 1394 loaded digital Television (TV).

AV data transmission such as MPEG-TS via transmission media whichconforms to IEEE 1394 standard by using DTCP scheme is known.

However, implementing the DTCP scheme on an IP protocol, which is astandard protocol for Internet, has not been known until to date. Thus,AV data cannot be transmitted via transmission media which can transmitIP packets of IEEE 802.3 standard, which is a standard for Ethernet™IEEE 802.11 standard, which is a standard for a wireless LAN, andothers, by using the DTCP scheme. In other words, conventionally, AVdata such as MPEG-TS cannot be transmitted between a sending apparatusand a receiving apparatus which are logically connected via IP protocolwith the confidentiality and copyright of the data being protected usingencryption.

SUMMARY OF THE INVENTION

According to the present invention, a packets sending/receivingapparatus for sending a sending packets and receiving a receivingpackets, comprises: authentification and key exchange means forproducing an encryption key and a decoding key; encryption means forproducing an encryption sending data by encrypting sending data usingthe encryption key; ending condition setting management means forproducing sending condition setting information for setting sendingcondition of the sending packets using at least one of sending conditionrelated information, sending/reception management information, receivingcondition setting information; packetization means for producing thesending packets using the encryption sending data; receiving conditionsetting management means for producing receiving condition settinginformation for setting receiving condition of the receiving packetsusing at least one of receiving condition related information andpackets reception information; packets reception means for receiving thereception packets, which extracts reception data included in thereception packets from the reception packets using the receptioncondition setting information and produced the packets receptioninformation from the reception packets, and outputs the packetsreception information to the authentification and key exchange means orthe received condition setting management means; and decoding means fordecoding the reception data using the decoding key.

The packetization means includes packets addition information productionmeans for producing packets addition information using at least one ofthe sending condition setting information and authentification and keyexchange related information related to the authentification and keyexchange means, the packetization means produces the sending packets byadding packets addition information to the encryption sending data; andthe packets receiving means includes a packets addition informationextraction means for extracting the packets addition informationincluded in the sending packets.

Framing means for receiving the sending packets-to produce a sendingframe; and frame reception means for receiving a reception frame andextracting the reception packets from the reception frame are furtherincluded.

First queue means for temporarily stores a first packets group producedat the packetization means; second queue means for temporarily stores asecond packets group produced at the packetization means; sending queuecontrol means for controlling which of the first packets group stored inthe first queue means and a second packets group stored in the secondqueue means is to be sent based on the sending condition settinginformation; framing means for producing a sending frame by framing thefirst packets group output from the first queue means and the secondpackets group output from the second queue means; and a frame receptionmeans for extracting the reception packets from a reception frame arefurther included.

The sending queue control means controls which of the first packetsgroup stored in the first queue means and a second packets group storedin the second queue means is to be sent using at least one ofinformation regarding a sending path of the first packets or the secondpackets, information regarding a bandwidth required for sending thefirst packets or the second packets, information regarding delay fromsending to arrival of the sending packets, and information regardingpriority of the first packets or the second packets.

The sending queue control means uses one of control schemes of RSVPscheme described with IETF RFC2205, RFC2208, RFC2209, Intserv schemedescribed with IETF RFC2210, RFC2211, RFC2212, RFC2215, and Diffservscheme described with IETF RFC2474, RFC2475, RFC2597, RFC2598.

The sending queue control means controls the first queue means and thesecond queue means so as to select one of the first packets stored inthe first queue means and the second packets stored in the second queuemeans is to be sent and preferentially outputs the selected packets. Thesending queue control means controls the first queue means and thesecond queue means such that, when an amount the first packets stored inthe second queue means does not exceeds a predetermined amount, thefirst packets stored in the first queue means is preferentially output,and when an amount of the second packets stored in the second queuemeans exceeds a predetermined amount, the second packets stored in thesecond queue means is output preferentially.

The sending queue control means controls the first queue means and thesecond queue means so as to average intervals between the first packetssent from the first queue means and the second packets from the secondqueue means.

The receiving condition setting management means and the receivingcondition setting management means detect the maximum transmissionpackets size in a path from a sending destination of the sending packetsand a receiving address between sending and arrival of the sendingframe, and produces the sending condition setting information andreceiving condition setting information using the maximum transmissionpackets size information.

The framing means adds a frame header of IEE 802.3 standard to sendingpackets produced in the packetization frame.

The framing means adds a frame header of IEE 802.1Q standard to sendingpackets produced in the packetization frame.

The packetization means converts the encryption sending data to apredetermined size and adds Internet Protocol (IP) header defined asIPv4 or IPv6 in IETF.

The packetization means adds information indicating that it is preferredpackets to a service type field of IPv4 header or a type of service(TQS) field in the service type field.

The packetization means adds information indicating that it is preferredpackets to a priority field of IPv6 header.

The packetization means includes first packetization means and secondpacketization means; the first packetization means produces firstpackets using at least one of the sending condition setting information,and the authentication and key exchange related information; the secondpacketization means produces second packets using at least one of thesending condition setting information, authentification and key exchangerelated information, and the encryption sending data.

The packetization means converts the encryption sending data into apredetermined size and adds an IP header defined as IPv4 or IPv6 inIETF; the first packetization means is formed of a software, and thesecond packetization means is formed of a hardware.

Data separation means for separating the reception data into preferreddata and general data; the encryption means encrypts the preferred data:and the first packetization means produces first packets group using thegeneral data are further included.

The first packetization means adds at least one header of RTCP, RTSP,HTTP, TCP, UDP, IP, which are data process protocols defined in the IETFdocument.

The second packetization means adds a sequence number to data, or addsat least one header of RTP, UDP, HTTP, TCP, IP, which are data processprotocols defined in the IETF document.

The preferred data is in an uncompressed SD format signal defined bySMPTE 259M standard, an uncompressed HD format defined by SMPTE 292standard, a transmission stream format of DV or MPEG-TS by IEEE 1394defined by IEC 61883, MPEG-TS format by DVB-ASI defined by DVB standardA010, MPEG-PS format, MPEG-ES format, and MPEG-PES format.

The second packetization means includes error correction code additionmeans.

A scheme of the error correction code used in the error correction codeaddition means is Reed-Solomon scheme or parity scheme.

Information indicating the encryption key outputs decoding informationof the encryption key before the encrypted sending packets encryptedwith the encryption key is output in the framing means.

Information indicating the encryption key sent before the time ofreception of a reception frame which corresponds to the sending framefrom sending of the sending frame with respect to the time when thereceiving packets including the encryption sending data produced usingthe encryption key to sent.

The authentification and key change means permits authentification whenlocation information of the packets sending/receiving apparatus, andlocation information of the destination of the sending packets orlocation information of the source of the receiving packets matchpredetermined condition.

The sending/receiving management information includes at least one ofthe location information of the packets sending/receiving apparatus, andthe location information of the destination of the sending packets orthe location information of the source of the receiving packets matchpredetermined condition.

The location information is information with area specified by a regioncode, address, postal code, or longitude and latitude.

The authentification and key exchange means permits authentificationwhen a propagation time of one-way or a round trip from the packetssending/receiving apparatus to the destination of the sending packets orsending source of the reception packets is shorter than a predeterminedlimit time between the packets vending/ receiving apparatus to thedestination of the sending packets or sending source of the receptionpackets.

The authentification and key exchange means permits authentification, inthe case where there is a wireless transmission zone between asending/reception zone between the packets sending/receiving apparatusto the destination of the sending packets or sending source of thereception packets, when it is confirmed that it is in a mode forscrambling and transmitting data in the wireless transfer zone.

The authentification and key exchange means includes: storage means fortemporarily stores information regarding the destination of the sendingpackets or sending source of the reception packets when authentificationis performed between the packets sending/receiving apparatus to thedestination of the sending packets or sending source of the receptionpackets; verifying means for verifying the information stored in thestorage means and the information regarding the destination of thesending packets or the information regarding the sending source of thereception packets when authentification is not confirmed since thepackets sanding/receiving apparatus and the destination of the sendingpackets or sending source of the reception packets do not match thepredetermined conditions, and performing authentification between thepackets sending/receiving apparatus and the destination of the sendingpackets or sending source of the reception packets.

The information regarding the destination of the sending packets and theinformation regarding the sending address of the reception packetsincludes at least one of a certificate, MAC address and biometricinformation.

The authentification and key exchange means performs predefinedauthentification and key exchange and updates encryption key or decodingkey in a predetermined period.

Timing information for indicating timing for the authentification andkey exchange means to update the decoding key is added to the sendingpackets.

The timing for the authentification and key exchange means to update thedecoding key is notified by changing a TCP port number, or UDP portnumber of the sending packets.

The timing for the authentification and key exchange means to update thedecoding key is updated for every HTTP request when the sending packetsuses HTTP.

The timing for the authentification and key exchange means to update thedecoding key is changed for every certain amount of data when thesending packets uses HTTP.

The receiving source of the reception packets is updated within apredetermined period when the sending packets uses RTP.

Copy control information of DTCP scheme in the authentification and keyexchange means is transmitted by adding encryption mode information tothe reception packets.

The sending queue control means controls the first queue means and thesecond queue means such that data rate of the preferred data does notbecome smaller than a predetermined value.

The sending queue control means controls the first queue means and thesecond queue means such that the time for the preferred data to bestored in the second queue means is always smaller than a predeterminedvalue.

The second packetization means includes a buffer means for temporarilystoring data, a counter means for counting a length of the data, apacket header production means for producing packets header of thesecond packets, and a packets synchronization means for synchronizingpackets by combining the packet header and a payload output from thebuffer; and the packet header production means specifies a payloadlength of the second packets group, reads out the data stored in thebuffer means, and input to the packets synchronization means.

The second packetization means includes a buffer means for temporarilystoring data extracted from the preferred data, a counter means forcounting a length of the data, a packet header production means forproducing packets headers using packetization information, and a packetsproduction means for producing packets by combining the packet headerand a payload; and the counter means outputs control data for readingout data which corresponds to a payload length from the buffer means.

The second packetization means includes a buffer means for temporarilystores data, a counter means for counting the data, a packet headerproduction means for producing packets header using packetizationinformation, error correction addition means for adding error correctionto the data, and a packets synchronization means for synchronizing thepacket header and the data with the error correction added; and thecounter means outputs control data for reading out data whichcorresponds to a payload length from the buffer means.

In a layer for processing a reception frame of a layer lower than layerson which the preferred data and the general data are processed, thepreferred data and the general data rare selected from the communicationprotocol header of the reception packets included in the receptionframe, and a process for the preferred data and a process for thegeneral data are independently performed.

The second packetization means includes encryption switching means, andinput an encryption key input to the encryption key switching meanswhile switching the encryption key in the encryption means at aspecified timing.

Timing used for the encryption key switching is timing generated insynchronization with a predetermined sequence number in packets header,which is an output for the packets header production means.

The timing for the authentification and key exchange means to update thedecoding key is updated for every HTTP request when the sending packetsuses HTTP.

The timing for the authentification and key exchange means to update thedecoding key is changed for every certain amount of data when thesending packets uses HTTP.

Timing for the authentification and key exchange means to update thedecoding key is within a predetermined period when the sending packetsuses RTP.

Timing used for the encryption key switching is timing generated insynchronization with an endpoint and a start point of an errorcorrection matrix.

According to the present invention, in order to solve theabove-described problem, a packets sending/receiving apparatus logicallyconnected via a network includes authentification and key exchange means(AKE means) for realizing protection of confidentiality and copyright ofthe sending data such as MPEG-TS, encryption means for encrypting thesending data, packetization means for producing sending packets usingsending data, decoding means for decoding the encrypted sending data,sending condition setting management means for setting appropriatepackets sending condition based on packets reception state fed back froma sending destination of the sending packets, packets reception means,and setting management means of the reception condition.

In this way, the DTCP scheme may be implemented to an IF protocol, whichis a standard protocol of the Internet.

Further, it Is possible to transmit packets (for example, IP packets)via a transmittable network and to decode data encrypted in thereceiving apparatus.

According to one embodiment of the present invention, in thepacketization means, the sending packets are classified into generalpackets and preferred packets which has a high real-time property andshould be preferentially sent. The general packets are input to firstdata queue means and the preferred packets are input to second dataqueue means. Then, sending queue control means controls the sendingorder of the packets temporarily stored in the first data queue meansand the second data queue means. In this way, data with higher real-timeproperty can be preferentially sent while the confidentiality and thecopyright of the data is being tried to be protected.

When the input stream is a plurality of streams of two channels or more,signals regarding the respective streams may be classified into thepreferred data and the general data.

According to one embodiment of the present invention, the packetizationmeans include first packetization means and second packetization means.In this embodiment, general data such as AKE related information isinput to the first packetization means. Encryption sending data producedin the encryption means and the AKE related information is input to thesecond packetization means. In the second packetization means, packetsare generated by a hardware. The AKE related information is updateinformation of copy control information and encryption key updatedinformation.

Packets produced at the first packetization means are input to andtemporarily stored in the first data queue means, and packets producedat the second packetization means are input to and temporarily stored inthe second data queue means.

When the sending condition setting management means orders the sendingqueue control means to preferentially outputting a signal temporarilystored in the second data queue means is output from, the encrypted datais preferentially output.

In such a control, if the second data queue means is controlled to avoidan overflow and there is a buffer of an appropriate size in thereceiving apparatus, real time transmission of data contents can berealized between a sending apparatus and a receiving apparatus.

As described above, when data is encrypted and transmitted in areal-time manner between the sending apparatus and the receivingapparatus, there is no trouble such as un-sent sending packets, orun-received reception packets generated because the software processcannot be in time since the second packetization means is formed of ahardware. Further, since the first packetization means with a small dataamount can be farmed of reasonable microcomputers and the like, the costcan be reduced.

According to one embodiment of the present invention, the AKE means forexchanging equipment authentification and the encryption key is a schemebased on a DTCP scheme, and includes encryption key production means,DTCP information production means, AKE command sending process means,AKE command reception process means, exchange key production means,encryption key change information production means, and decode keyproduction means. The encryption key production means producesencryption key, and inputs to the encryption to set an encryptionoperation. DTCP information production means uses copy controlinformation input from outside and key update information to be inputfrom the encryption key production means to produce AKE relatedinformation. The AKE command sending process means receives theencryption key from the encryption key production means, an AKEparameter from outside, and an AKE command information from the AKEcommand reception process means and produces and outputs the AKE sendingcommand. The AKE command reception process means receives the AKEsetting control information from the first packetization means andoutputs setting control information respectively to the AKE sendingprocessing means, the exchange key production means, and the encryptionkey change information production means. The encryption key changeinformation production means obtains information from the AKE commandreception process means and the first packets reception means to produceencryption key change information. The decoding key production meansoutputs a decoding key and outputs to the decoding process using theinformation from the exchange key production means and the encryptionkey change information production means.

According to one embodiment of the present invention, the secondpacketization means to which the encryption sending data produced at theencryption means and AKE related information for example, copy controlinformation and/or update information of the encryption key are inputincludes an error correction code addition means therein. An errorcorrection code is added to such information and transmitted by UDP/IPprotocol.

Accordingly, in transmission of IP packets, it becomes possible torestore the sending data by error correction in the receiving apparatuseven when a packet loss or a bit error is generated at the network.

In one embodiment of the present invention, the preferred packets to besent preferentially and the general packets with a lower sendingpriority compared to the preferred packets are multiplexed on the timeline and sent. An average sending data rate of the preferred data in thepreferred packets to be sent is controlled, for example, to send packetsat a speed equal to or higher than the average input rate using ahardware for are exclusive use.

The general data is temporarily stored ire the buffer means, andintermittently transmitted while the preferred data is preferentiallytransmitted. In this example, when the transmission rate of the generaldata is 1 Mbps or lower, transmission process of the general data ispossible using processors such as reasonable CPU and/or microcomputers.

Regarding the preferred data input as a stream, invalid data portion ofthe stream is removed and only a valid data is used to produce packetsbased on packetization information. In this example, when the UDP/IP isused as a communication protocol, IP address as an address, and UDP portnumber as a subaddress are used as a header.

According one embodiment of the present invention, preferred data formatinformation is obtained from the valid data to be used for determining apacketizing parameter with the packetizing information input from theoutside. In this way, the automation of packetizing the preferred datacan be performed in a unit of 80 bytes of DIF block when the preferreddata is DV type, and in a unit of 188 bytes of TS packets when thepreferred data is MPEG type. Thus, the structure of thesending/receiving apparatus can be made simple.

According one embodiment of the present invention, the preferred datacan be restored in the receiving apparatus even when the packet loss isgenerated over the network by adding the error correction code to thepreferred data in the preferred data packetization means in the sendingapparatus.

One embodiment of the present invention relates to a transmission errorprotection function in the preferred data packetization means within thesending apparatus can be realized. By adding an error correction codeafter the preferred data is encrypted, even when a packet lose isgenerated in the network, the preferred data can be restored in thereceiving apparatus. Moreover, data transmission which can prevent dataeavesdropping on the network and has a high security is realized. Inthis way, even though a public network such as Internet is used as atransmission path, eavesdropping and leakage of the preferred data (AVdata) to be real-time transmitted can be prevented. Moreover, it becomespossible to sell and charge on AV data transmitted via the Internet andthe like, and selling contents distribution of B-B, B-C with a highsecurity becomes possible.

One embodiment of the present invention relates to a method forswitching the encryption key which performs encryption. By rendering aphase of the error correction matrix to a switching phase, it becomespossible to switching of the encryption key can be performed smoothly.

One embodiment of the present invention relates to a setting of a portnumber of the packet header of the valid data packets. Since a tablewhich determines a combination of the formats of the preferred dataand/or channel number and a port number is provided in the sendingapparatus and the receiving apparatus, a format can be detected by onlydetecting a port number of the receiving apparatus. Thus, a signal canbe readily processed in the reception apparatus.

Further, when the two streams are received at the same time in thereceiving apparatus in which two lines of stream processes are possible,it is possible to identify a format or channel with the port number.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing an exemplary system to which the presentinvention can be applied.

FIG. 2 is a diagram for showing operations of a sending apparatus and areceiving apparatus in the case where a DTCP scheme is applied forauthentification and key exchange.

FIG. 3 is a schematic view showing an example of applying the DTCPscheme to a two-storied house using Ethernet™.

FIG. 4 is a block diagram of a packets sending/receiving apparatusaccording to Embodiment 1 of the present invention.

FIG. 5 is a schematic diagram showing an exemplary packets format whenpackets is transmitted using MEPG-TS, and then a frame is produced fortransmission.

FIG. 6 is a schematic view for illustrating a protocol stack accordingto Embodiment 1 of the present invention.

FIG. 7 is a block diagram of a packets sending/receiving apparatusaccording to Embodiment 2 of the present invention.

FIG. 8 is a block diagram of a packets sending/receiving apparatusaccording to Embodiment 3 of the present invention.

FIG. 9 is a schematic view for illustrating a protocol stack accordingto Embodiment 3 of the present invention.

FIG. 10 is a schematic view showing an example of packets format whenpackets are produced using MPEG-TS, and then a frame is produced fortransmission.

FIG. 11 is a block diagram of a packets sending/receiving apparatusaccording to Embodiment 4 of the present invention.

FIG. 12 its a block diagram for illustrating packetization means andpackets reception means according Embodiment 4 of the present invention.

FIG. 13 is a block diagram for illustrating packetization means andpackets reception means according Embodiment 5 of the present invention.

FIG. 14 is a schematic view for illustrating a protocol stack accordingto Embodiment 5.

FIG. 15 is a schematic view for illustrating an example where the errorcorrection scheme is a Reed-Solomon scheme.

FIG. 16 is a schematic view for illustrating an example where the errorcorrection scheme is a parity scheme.

FIG. 17 is a block diagram of a packets sending/receiving apparatusaccording to Embodiment 6.

FIG. 18 is a block diagram of a packets sending/receiving apparatusaccording to another example of Embodiment 6 of the present invention.

FIG. 19 is a block diagram of a packets sending means according toEmbodiment 7 of the present invention.

FIG. 20 is a schematic view for illustrating a protocol stack ofpreferred data packets.

FIG. 21 is a schematic view for illustrating a sending timing chart ofpreferred data packets and a general data packets.

FIG. 22 is a block diagram showing packets sending means according to avariation of Embodiment 7 of the present invention.

FIG. 23 is a block diagram of packets sending means according toEmbodiment 8.

FIG. 24 is a block diagram of packets sending means according to avariation of Embodiment 8 of the present invention.

FIG. 25 is a block diagram of packets sending means according toEmbodiment 9.

FIG. 26 is a block diagram of preferred data packetization meansaccording to a variation of Embodiment 9 of the present invention.

FIG. 27 is a block diagram of preferred data packetization meansaccording to a variation of Embodiment 9 of the present invention.

FIG. 28 is a diagram showing packets structure when error correction isin a Reed-Solomon scheme.

FIG. 29 is a diagram showing packets structure when error correction isin a parity process scheme.

FIG. 30 is a block diagram of packets sending means according toEmbodiment 10 of the present invention.

FIG. 31 is a block diagram of preferred data packetization meansaccording to Embodiment 10 of the present invention.

FIG. 32 is a block diagram of preferred data packetization meansaccording to Embodiment 11 of the present invention.

FIG. 33 is a schematic view for illustrating a switching timing forencryption.

FIG. 34 is a block diagram of preferred data packetization meansaccording to Embodiment 12 of the present invention.

FIG. 35 is a block diagram of packets sending system which is applied toIEEE 1394 stream transmission according to Embodiment 13 of the presentinvention.

FIG. 36 is a block diagram showing packets sending system applied to atransmission of SDI/SDTI/DVB-ASI stream according to Embodiment 13 ofthe present invention.

FIG. 37 is a block diagram of packets sending/receiving apparatusaccording to Embodiment 13.

FIG. 38 is a schematic view illustrating a transmission of MPEG-TS viatransmission media which conforms to IEEE 1394 standard by using theDTCP scheme.

DETAILED DESCRIPTION

In the following description of the present specification, an apparatuswhich can send and receive information including packets will bereferred to as a sending/receiving apparatus. Two sending/receivingapparatuses communicate information with each other. Further, in thefollowing description of the present specification, a sending/receivingapparatus for sending data (for example, AV data) which is to be sent isreferred to as a “sending apparatus”, and a sending/receiving apparatusfor receiving such data sent by the sending apparatus will be referredto as a “receiving apparatus” for the sake of convenience.

First, an overview of a system to which the present invention can beapplied will be described for clarifying the present invention.

FIG. 1 is a diagram showing an exemplary system to which the presentinvention can be applied.

A sending apparatus 101 sends data to a receiving apparatus 103 via arouter 102.

More specifically, sending/receiving condition related information,authentification and key exchange (hereinafter, also referred to as AKE)setting information, input stream (data such as MPEGTS) are input intothe sending apparatus 101, and communication is performed based on thefollowing procedures 1 through 3.

Procedure 1) Setting sending/receiving parameters: (1-1) Sets mediaaccess control (MAC) addresses internet protocol (IP) addresses,transmission control protocol/user datagram protocol (TCP/UDP) portnumbers and the like of the sending apparatus 101 and the receivingapparatus 103.

(1-2) Sets Types and Bands of Signals to be Sent.

The sending apparatus 101 and the receiving apparatus 103 function asquality of service (QoS) agents. The router 102 functions as a QoSmanager. Setting related to a network using IEEE 802.1Q (VLAN) standardis performed between the QoS agents and the QoS managers.

(1-3) Sate Priorities between the IEEE 802.1Q/p Standard.

Procedure 2) Authentification and key exchange: (2-1) The sendingapparatus 101 and the receiving apparatus 103 authenticate each otherand exchange keys to each other. In this case, for example, the DTCPscheme may be used.

Procedure 3) Data Transmission

(3-1) Encrypted data (for example, MPEG-TS) is transmitted from thesending apparatus 101 to the receiving apparatus 103.

In FIG. 1, MPEG-TS is input to the sending apparatus 101 as an inputstream. However, the present invention is not limited to this. The inputstream may be, for example, MPEG-TS stream such as MPEG1/2/4 (ISO/IEC13618), streams standardized with DV (IEC 61834, IEC 61883), SMPTE 314M(DV-based), SMPTE 259M (SDI), SMPTE 305M (SDTI), SMPTE 292M (HDSDI) andthe like.

Data to be sent from the sending apparatus 101 may be common AV data.Furthermore, data of the present invention may be files. When files aretransferred as data, data can be transmitted faster than real time underthe conditions that the data transfer rate is larger than normalreproduction data rate from the relationship between the propagationdelay time between the sending apparatus 101 and the receiving apparatus103 and the processing abilities of the sending apparatus 101 and thereceiving apparatus 103.

Next, with reference to FIG. 2, the authentification and key exchange inthe above-mentioned procedure 2 will be further described.

FIG. 2 is a diagram for showing operations of the sending apparatus andthe receiving apparatus in the case where the DTCP scheme is applied forauthentification and key exchange.

Herein, authentification and key exchange (hereinafter, also referred toas AKE) which conform to the DTCP scheme are performed. In such a case,the sending apparatus 101 is also referred to as an AKE source and thereceiving apparatus 103 is also referred to as an AKE sink.

The sending apparatus 101 and the receiving apparatus 103 are connectedby an IP network.

First, protection mode information of data including copy protectioninformation of data is sent from the sending apparatus 101 to thereceiving apparatus 103. Herein, the sending apparatus 101 may sendencryption data at the same time.

The receiving apparatus 103 analyses the copy protection information ofthe data and determines the authentification scheme to be used to sendauthentification request to the sending apparatus 101. By performingsuch operations, the sending apparatus 101 and the receiving apparatus103 share the authentification key.

Next, the sending apparatus 101 encrypts exchange keys using theauthentification key to produce encryption exchange key. Then, thesending apparatus 101 sends the encryption exchange key to the receivingapparatus 103. The receiving apparatus 103 uses the authentification keywhich it shares with the sending apparatus 101 to decode the encryptionexchange key and produces the exchange key.

Then, the sending apparatus 101 produces key change information whichchanges over time for changing the encryption key in terms of time.Herein, the key change information is also referred to as seedinformation. The sending apparatus 101 sends the key change informationto the receiving apparatus 103.

The sending apparatus 101 produces an encryption key using the exchangekey and the key change information and encrypts data (for example,MPEG-TS) by encryption means using the encryption key to produceencryption data. Then, the sending apparatus 101 sends the encryptiondata to the receiving apparatus 103.

The receiving apparatus 103 produces an encryption key using the keyexchange information and the exchange key. The receiving apparatus 103decodes the encryption data using the encryption key. In the receivingapparatus 103, the encryption key is also referred to as a decode key.

Thereafter, the sending apparatus 101 and the receiving apparatus 103may confirm the key change information of each other at any time.

FIG. 3 is a schematic view showing an example of applying the DTCPscheme to a two-storied house using Ethernet™.

A network structure 301 for the first floor includes a router 303. Therouter 303 is provided on the first floor. The network structure 301 isconnected to Internet via a fiber to the home (FTTH) of 100 Mbps.

A network structure 302 for the second floor includes a switching hub304. The switching hub 304 is provided on the second floor.

The router 303 is connected to the switching hub 304 via a network 305.In this way, the network structure 301 for the first floor is connectedto the network structure 302 for the second floor. In this example, thenetwork 305 is Ethernet™ network for connecting the router 303 and theswitching hub 304. The router 303 also functions as a switching hub.

The data rate of the Ethernet™ network for the entire house is 100 Mbps.

In the network structure 301 for the first floor, a television (TV), apersonal computer (PC), and Digital versatile disc (DVD) recorder areconnected to the router 303 by Ethernet™ of 100 Mbps. Further, an airconditioner and a refrigerator are connected by ECHONET.

In network structure 302 for the second floor, a television (TV), apersonal computer (PC), and Digital versatile disc (DVD)recorder areconnected to the switching hub 304 by Ethernet™ of 100 Mbps. Further, anair conditioner is connected by ECHONET. ECHONET is a transmissionscheme developed in “ECHONET CONSORTIUM” (http://www.echonet.gr.ip/).

In the example shown in FIG. 3, the personal computers (PCs), the DVDrecorder, the router 303, and the switching hub 304 support IEEE 802.1Qstandard (VLAN). Thus, data rates at all the ports are the same (forexample, 100 Mbps). As long as the total data rate being output from aspecific output port does not exceed a standard value or and effectivevalue of an output port of the port in the router 303 and the switchinghub 304, data input from an input port is not lost at the router 303 orthe switching hub 304 and is all output from an output port.

For example, even when data is input via eight input ports at the sametime, if outputs ports for the data are different, the data do notconflict with each other in a buffer provided inside the router 303 orthe switching hub 304, and are switched and output from output ports.Data input from the input ports are all output from the output portswithout a dropping packet.

In the example shown In FIG. 3, the data rate of the entire Ethernet™ inthe house is 100 Mbps and the data rate of the network 305 between thefirst floor and the second floor is also 100 Mbps. When a plurality ofdata flow between equipment on the first floor and equipment on thesecond floor, the total data rate flows on the network 305 may exceed100 Mbps if there is no limit on the data rate for each of the data. Adata stream which requires real-time transmission such as videoapplication of MPEGTS may be interrupted.

In this came, it is necessary to perform priority control with respectto the transmission data in order not to interrupt a data stream whichrequires real-time transmission. It becomes possible not to interrupt adata stream which requires real-time transmission by introducing a speedlimit mechanism for stream transmission and file transfer, which will bedescribed later, not only to a terminal, but also to the router 303 andthe switching hub 304.

For instance, if a higher priority is given to transmission of MPEG-TSdata which requires real-time transmission than to transmission of filedata, it becomes possible to transfer file between the PC at the firstfloor and the PC at the second floor and encrypt MPEG-TS data andtransmit on a real-time basis between the DVD recorder, PC, or TV at thefirst floor and the DVD recorder, PC, or TV at the second floor at thesame time.

The transmission speed limit mechanism at the router 303 or theswitching hub 304 can be realized by data flow control. Morespecifically, data with high priority and data with low priority arecompared at input data queue means of the router 303 or the switchinghub 304. Buffer control rules used for priority control scheme include:a round robin scheme; fluid fair scheduling scheme; weighting fairscheduling scheme; self-synchronization fair scheduling; WFFQ scheme;virtual clock scheduling scheme; classifying scheduling scheme; and thelike. The details of the scheduling schemes are described in, forexample, Iwao Toda, “Nettowaku QoS Gijutu (Network QoS Technique)”, May25, 2001 (First edition), Ohmsha Ltd., Chapter 12.

Embodiment 1

FIG. 4 is a block diagram of a packets sending/receiving apparatus 401according to Embodiment 1 of the present invention.

The packets sending/receiving apparatus 401 performs authentificationand key exchange which conform to the DTCP scheme to send and receivepackets. In this example, it is assumed that the packetssending/receiving apparatus 401 send packets to another packetsending/receiving apparatus having similar functions as the packetssending/receiving apparatus 401 and receives packets from such packetssending/receiving apparatus. Thus, the packets sending/receivingapparatus 401 sends sending packets to the destination of the sendingpackets and receives reception packets from the source of the receptionpackets.

The packets sending/receiving apparatus 401 includes:authentification/key exchange means (hereinafter, also referred to asAKE means) 402 for producing an encryption key and a decoding key;encryption means 406 for producing encrypted sending data by encryptingsending data using the encryption key; sending condition settingmanagement means 404 for producing sending condition setting informationfor setting sending conditions for set packets using at least one ofsending conditions related information, sending/receiving managementinformation, and receiving condition setting information; packetizationmeans 403 for producing sending packets; receiving condition settingmanagement means 408 for producing receiving condition settinginformation for setting receiving conditions of reception packets usingat least one of receiving condition related information and packetreceiving information; packets reception means 405 for receivingreception packets, which extracts reception data included in thereception packets from the reception packets using the receivingcondition setting information, produces packets receiving informationfrom the reception packets, and outputs the packets receivinginformation to the authentification/key exchange means or the receivingcondition setting management means 408; and decoding means 407 fordecoding the reception data using the decoding key.

The packets sending/receiving apparatus 401 further includes framingmeans 409 for producing sending frames using the sending packets andframe reception means 410 for receiving reception frames. This allowsthe packets sending/receiving apparatus 401 to function as a sendingapparatus for sending the sending frames including the sending packetsand as well as a receiving apparatus for receiving the reception framesincluding the reception packets.

Hereinafter, an example where the packets sending/receiving apparatus401 sends the sending frames using TCP/IP or UDP/IP and the like will bedescribed.

The sending condition related information, the sending/receivingmanagement information, and the receiving condition setting informationare input to the sending condition setting management means 404.

The sending condition related information include, for example, the typeof the sending data, information on an address to be sent or portnumber, path information (routing information) used for sending, a bandof the sending data, and a priority for sending the sending data.

The sending/receiving management information includes equipmentmanagement control data in a sending apparatus (local) and a receivingapparatus (remote).

More specifically, the sending management information includes equipmentmanagement control data such, as media access control address orlocation information in the sending apparatus (local) and the receivingapparatus (remote). The location information is information with an areaspecified by a region code, address, postal code, or longitude andlatitude. By using the location information, it becomes possible tolimit the area of sending equipment and receiving equipment forauthentification. Further, it is also possible to limit authentificationrange by permitting authentification when propagation time of thepackets for one-way or round trip between the sending apparatus and thereceiving apparatus is shorter than the predetermined limit time. Forexample, the authentification range can be limit by permittingauthentification only when round trip time (RTT) is 1 msec or shorter inIP connection of Ethernet scheme. Further, when a plurality oftransmission media, for example, a wireless scheme such as 802.11astandard or 802.11b standard and Ethernet standard are combined,authentification may be permitted by setting RTTs which respectivelycorrespond to propagation delay properties of the transmission media.Such times may be measured by commands specific to AKE, or may berealized by including a time stamp or location information in packetsaddition information, as will be described with reference to FIG. 5.

Further, if there is a wireless transmission zone in a sending/receivingzone between the sending apparatus and the receiving apparatus, it ispossible to prevent a third party from reading data due to data leakagein wireless the transmission zone by permitting authentification afterperforming encryption and scrambling of data to confirm that it is in atransmission mode.

The receiving condition setting information includes information forfeeding back a reception state of the receiving apparatus from thereceiving apparatus to the sending apparatus. The information is inputfrom the receiving condition setting management means 408 to the sendingcondition setting management means 404.

The sending condition setting management means 404 produces sendingcondition setting information using at least one of the sendingcondition related information, sending/receiving management informationand receiving condition related information. The sending conditionrelated information includes at least one of location information of thedestination of the sending packets and location information of source ofreceived packets.

Using the sending condition setting information produced in the sendingcondition setting management means 404, header, payload and the like areset in the packetization means 403 and the framing means 409. Thesending condition setting management means 404 also outputs the sendingcondition setting information the packetization means 403 and packetsaddition information producing means 411 included in the packetizationmeans 403.

To the AKE means 402, authentification and key exchange settinginformation (hereinafter, also referred to as AKE information) is input.From the AKE means 402, authentification and key exchange relatedinformation related to the AKE setting information (hereinafter, alsoreferred to as AKE related information) is input to the packets additioninformation producing means 411. The authentification and key exchangerelated information includes, for example, copy protection informationindicating encryption state of encryption sending data at the time oftransmission and encryption key change information.

For example, MPEG-TS is input as an input stream to the-encryption means406. The encryption means 406 takes a part of MPEG-TS as the sendingdata and encrypt the sending data using the encryption key produced atthe AKE means 402 to produce the encryption sending data. The encryptionsending data is output from the encryption means 406 to thepacketization means 403.

The packetization means 403 produces sending packets by using theencryption sending data based on sending condition setting informationproduced in the sending condition setting management means 404.

The packetization means 403 includes the packets addition informationproducing means 411. The packet addition information producing means 411produces packets addition information using at least one of sendingcondition setting information and authentification and key exchangerelated information.

The packetization means 403 converts the encryption sending data into apredetermined size and may add internet protocol (IP) header defined asIPv4 or IPv6 in IETF, add information indicating that it is preferredpackets in a service type field in the IPv4 header or a type of service(TOS) field within the service type field, or add information indicatingthat it is preferred packets in a priority field of the IPv6 header.

The packets additional information produced at the packets additioninformation producing means 411 is input to the packetization means 403and added to the encryption sending data. More specifically, the packetsaddition information is added to the encryption sending data as a partof a header of TCP/IP or UDP/IP protocol, and sending packets areproduced.

To the sending packets, encryption mode information is also added ascopy control information of the DTCP scheme in the AKE means 402.

To the sending packets, an MAC header is further added in the framingmeans 409 to form an Ethernet™ frame. The Ethernet™ frame is output fromthe framing means 409 to a network as a sending frame.

The copy control information of the contents is referred to as copycontrol information (CGI). The copy protection information indicatingencryption at the transmission is referred to as encryption modeindicator (EMI). In general, EMI is used with a protection mode equal toor stronger than that of CGI.

Next, an example in which the packets sending/receiving apparatus 401receives a reception frame will be described.

The frame reception means 410 receives a reception frame via thenetwork.

The frame reception means 410 extracts an MAC header included in thereception frame and performs filtering based on the extracted MACheader. Then, the frame reception means 410 outputs IP packets obtainedby filtering to the packets reception means 405.

In the packets reception means 405, filtering is performed byidentifying an IP packets header of the IP packets to produce packetsreception information. AKE information obtained as packets receptioninformation by filtering is input to packets addition informationextraction means 412 included in the packets reception means 405. Thepackets addition information extraction means 412 extracts packetsaddition information from the reception packets. The extracted packetsaddition information is output to the AKE means 402.

In this way, the AKE means of the sending apparatus and the AKE means ofthe receiving apparatus can be connected to each other on one-on-onebasis. Thus, they can exchange messages to with each other via acommunication protocol.

The AKE means 402 permits authentification when the location informationof the packets sending/receiving apparatus 401 and the locationinformation of the destination of the sending packets or the locationinformation of the source of the reception packets match thepredetermined condition.

The AKE means 402 permits authentification when the propagation time inone way or a sound trip from the packets sending/receiving apparatus 401to the destination of the sending packets or the source of the receptionpackets is shorter than the predetermined limit time is shorter betweenthe packets sending/receiving apparatus 401 and the destination of thesending packets or the source of the reception packets.

Alternatively, when there is a wireless transmission zone in thesending/receiving zone between the packets sending/receiving apparatus401 and the destination of the sending packets or the source of thereception packets, the AKE means 402 may permit authentification when itis confirmed that it is in a mode of scrambling data for transmission inthe wireless transmission zone.

Therefore, authentification and key exchange can be performed inaccordance with setting procedure of two AKE means.

After the authentification and key exchange are approved between packetssending/receiving apparatus which functions as a sending apparatus andpackets sending/receiving apparatus which functions as a receivingapparatus, the sending apparatus sends encrypted AV data.

In the receiving apparatus, MEPG-TS data is input to the encryptionmeans 406. The encryption means 406 encrypts the MEPG-TS data to produceencrypted MEPG-TS data. The encrypted MEPG-TS data is input to thepacketization means 403. A header of TCP/IP protocol is added in thepacketization means 403 to produce sending packets.

In the framing means 409, an MAC header is further added to the sendingpackets using 802.1Q (VLAN) scheme to convert into Ethernet™ frame andto produce sending frames. The sending frames produced as such areoutput to the network.

By setting priority (user priority) in tag control information (TCI) inthe MAC header, priority of network transmission can be made higher thanthat of general data.

In the receiving apparatus, a signal input from the network is filteredbased on the MAC header in the frame reception means 410, and is inputto the packets reception means 405 as IP packets. The IP packets arefiltered in the packets reception means 405 by identifying a packetsheader or the like, and is input to the decoding means 407. Then,decoded MEPG-TS is output.

To the sending condition setting management means 404, information forfeeding back the reception state to the sending apparatus from thereceiving condition setting management means 408 as receiving conditionsetting information is input. The sending condition setting managementmeans 404 produces sending condition setting information based on thisinformation. Based on the sending condition setting information, theheader and the payload produced in the packetization means 403 and theframing means 409 are set.

FIG. 5 is a schematic diagram showing an exemplary packets format whenpackets are transmitted using MEPG-TS, and further, a frame is producedand transmitted. In this example, MEPG-TS conforms to ISO/IBC 13818.MEPG-TS may be a signal format based on ARIB standard, ARID TR-B14, ARIBTR-B15, or ARID STD-B21.

MEPG-TS to be input as an input stream is segmented in every 188 bytes.A time code (TC) of 6 bytes is added to the MEPG-TS of 188 bytes to forma unit of 194 bytes. In this example, TC includes a time stamp of 42bits and a base-clock ID (BCID) of 6 bits.

BCID can represent frequency information of the time stamp.

For example:

(Case 1) When BCID is 0x00, there is no frequency information of timestamp;

(Case 2) When BCID is 0z01, the frequency information of the time stampis 27 MHz (system clock frequency of MPEG2);

(Case 3) When BCID is 0x02, the frequency information of the time stampis 90 kHz (clock frequency used with MPEG1);

(Case 4) When BCID is 0x03, the frequency information of the time stampis 24.576 MHz (clock frequency used with IEEE 1394); and

(Case 5) When BCID is 0x04, the frequency information of the time stampis 100 MHz (frequency used in Ethernet™).

Two units of data of 194 bytes are combined and encrypted to produceencryption data. Then, packets addition information of 7 bytes is addedto the encryption data. In this way, a payload of RTP protocol isformed.

In this example, the packets addition information includes encryptionmode indicator (EMI) of 2 bits, odd/even (O/E) of 1 bit, reserved dataof 13 bits and a time stamp or location information of 40 bits. EMI andO/E are defined by the DTCF scheme. Instead of O/E, seed information(Nc) of DTCP may be used.

The packets addition information producing means 411 (see FIG. 4) usesthe AKE related information to produce EMI and O/E.

The time stamp or the location information is produced in the packetsaddition information producing means 411 (see FIG. 4) using sendingcondition setting information, and is located following the reserveddata. The time stamp or the location information may also be locatedbetween the O/E and the reserved data.

The location information is information with an area specified by aregion code, address, postal code, or longitude and latitude.

In this example, the packets addition information is 7 bytes. However,the packets addition information is not limited to 7 bytes.

The packets addition information may not include the time stamp or thelocation information. In such a case, the packets addition informationbecomes 2 bytes.

When the packets addition information of 7 bytes is added to theencryption data, the payload of the RTP protocol is formed. When a RTPheader is added as a header, the RTP protocol is formed.

The RTP protocol is a payload of TCP packets or UDP packets. When a TCPheader or a UDP header is added, the TCP packets or the UDP packets areformed.

The TCP packets or the UDP packets are a payload of IP packets. When anIP header is added as a header, the ID packets are produced. In thisexample, the IP header is defined as Ipv4 or Ipv6 with IETF.

Furthermore, the IP packets are a payload of a MAC frame. When anEthernet header is added as a header, Ethernet packets are produced.

As the Ethernet™ header, both a standard Ethernet™ header and aEthernet™ header extended with IEEE 802.1Q (VLAN) are applicable asshown in FIG. 5.

A standard Ethernet header is 14 bytes, and includes destination address(DA) of 6 bytes, source address (SA) of 6 bytes, and informationindicating length/type of 2 bytes.

An Ethernet header extended with 802.1Q is 18 bytes. The Ethernet headerextended with 802.1Q is different from a standard Ethernet header on thepoint that 802.1Q extended part of 4 bytes is provided between the SAand the information indicating the length/type.

The 802.1Q extended part includes tag control ID (TPID) of 2 bytes andtag control information (TCI) of 2 bytes which indicates VLAN priority.

TCI includes priority (user priority) of 3 bits, canonical formatindicator (CFI) of 1 bit and VLAN Identifier (VID) of 12 bits.

How to use priority is defined by ISONEC 15802-3. With a flag of thepriority, priority of the Ethernet™ frame can be set.

FIG. 6 is a schematic view for illustrating a protocol stack accordingto Embodiment 1 of the present invention.

On the left of side of FIG. 6, a hierarchy of open systemsinterconnection (OSI) is shown. The hierarchy includes a link layer, anetwork layer, a transmission layer, and an application layer in thisorder from the bottom.

First, encryption data is sent from the sending apparatus to thereceiving apparatus via a data port, and AKE related information is sentvia an AKE port.

In the receiving apparatus, copy protection information of data isanalyzed and an authentification scheme is determined. Then,authentification request is sent to the sending apparatus.

Next, in the sending apparatus, a random number is generated. The randomnumber is input into a predetermined function to produce an exchangekey. When information of the exchange key is input into a predeterminedfunction, an authentification key is produced.

In the receiving apparatus, a predetermined process is performed toproduce the authentification key. In this way, the sending apparatus andthe receiving apparatus share the authentification key.

In this example, information used for encryption is information producedby combining one or more of information unique to the sending apparatus(for example, equipment ID, authentification information of theequipment, MAC address, and the like), secret key, public key,information provided from outside. Secure encryption can be achieved byusing encryption scheme with a high encryption strength such as DESscheme or AES scheme.

Next, the sending apparatus encrypts the exchange key using theauthentification key to produce an encryption exchange key and outputsthe encryption exchange key to the receiving apparatus. The receivingapparatus uses the authentification key to decode the encryptionexchange key to the exchange key. Further, the exchange key and initialkey update information are input into a predetermined function andproduces the encryption key (decode key).

Further, the receiving apparatus produces key update information whichchanges over time for changing the encryption key over time, and sendthe key update information to the receiving apparatus.

In the sending apparatus, MEPG-TS data, which is contents data, isencrypted with the encryption key, and encryption data is produced. Theencryption data becomes payload of TCP (or UDP) packets as AV data withthe above-mentioned EMI and O/E, and the TCP (or UDP) packets areproduced. Further, the TCP (or UDP) packets are used as a payload of IPpackets, and the IP packets are produced. The IP packets are used as apayload of a MAC frame, and the Ethernet™ MAC frame is produced.

MAC can be applied not only to IEEE 802.3 standard, which is a standardfor Ethernet™, but also to MAC of IEEE 802.11 standard, which is astandard for the wireless LAN.

Ethernet™ MAC frame is transmitted from the sending apparatus to thereceiving apparatus over Ethernet™. The receiving apparatus produces theencryption key (decode key) in accordance with a predeterminedprocedure. Then, the IP packets are filtered from the received Ethernet™MAC frame. Further, the TCP (or UDP) packets are extracted from the IPpackets. Then, AV data is extracted from the TCP (or UDP) packets. Byusing the exchange key and the encryption key (decode key) producedusing the key change information, data (MEPG-TS) is decoded.

Preferably, the timing information indicating timing for the AKE means402 to update the decode key is added to sending packets. In such acase, the timing for the AKE means 402 to update the decode key may benotified by changing a TCP port number or UDP port number of the sendingpackets.

When the sending packets use HTTP, the timing for the AKE means 402 toupdate the decode key may be updated for every HTTP request, or may bechanged for every constant amount of data.

Alternatively, in the case where the sending packets use RTP, the timingfor the AKE means 402 to update the decode key may be updated within apredetermined period (for example, 60 seconds).

As described above, it is possible to encrypt data such as MEPG-TS inthe sending apparatus, transmit the IP packets via the network withHTTP/ICP/IP or RTP/UDP/IP, and decode to original data in the receivingapparatus. If the above-mentioned O/E or seed information (Nc) isupdated in accordance with a certain rule, for example, for every HTTPrequest, or for every constant amount of AV data (for example, 1 MB) ,or within a predetermined time, security can be further improved.

Now, with reference to FIG. 3 again, how stream transmission and filetransfer can become compatible by changing a network topology using theswitching hub will be described.

For example, by extending the data rate of the network 305 between thefirst floor and the second floor from 1.00 Mbps to 1 Gbps, it becomespossible to transfer a file between the PC of the first floor to the PCof the second floor, and to encrypt and transmit in real time MEPG-TSbetween the DVD recorder, PC or TV of the first floor and DVD recorder,PC or TV of the second floor at the same time.

For example, a commercially available switching hub having eight portsof 100 Mbps and one port of 1 Gbps is used. The port of 1 Gbps isconnected to the network 305 which connects the network structure 301for the first floor and the network structure 302 for the second floor.AV equipment such as TV are connected to the remaining eight parts of100 Mbps. Since there are eight 100 Mbps ports, even when data isrespectively input to the eight ports at maximum of 100 Mbps and outputfrom one port, the total data rate of the input ports is 800 Mbps (100Mbps×8 ch). This value is smaller than 1 Gbps. Thus, data input from theeight input ports are not lost in the switching hub, and is all outputfrom the output port.

Therefore, it is possible to transmit all the data to be output from AVequipment on the first floor to the second floor via the network 305. Itis also possible to transmit all the data to be output from AV equipmenton the second floor to the first floor via the network 305.

By using the switching hub as described above, real-time transmission ofdata and file transfer can be performed at the same time.

Embodiment 2

FIG. 7 is a block diagram of a packets sending/receiving apparatus 401Aaccording to Embodiment 2 of the present invention.

The packets sending/receiving apparatus 401A has a similar structure asthe packets sending/receiving apparatus 401 described with reference toFIG. 4 in Embodiment 1 except for that it further includes sending queuecontrol means 601, first queue means 602, and second queue means 603. Inthe following description, the sending queue control means 601, thefirst queue means 602 and the second queue means 603 will be mainlydescribed in order to simplify the description.

The packetization means 403 performs a TCP/IP protocol process togeneral data to produce first packets group, and outputs the firstpacket group to the first queue means 602. In this example, general datais, for example, sending condition setting information or AKE relatedinformation.

The first queue means 602 temporarily stores the first packets.

The packetization means 403 again performs a TCP/IP protocol process tothe encryption sending data produced at the encryption means 406 toproduce second packets, and outputs the second packets to the secondqueue means 603.

The second queue means 603 temporarily stores the second packets.

The packetization means 403 uses general data for producing firstpackets group, while it uses the encryption data, which is contentsdata, to produce second packets group.

The sending queue control means 602 controls that which packets are tobe output preferentially based on the sending condition settinginformation when the packets are temporarily stored in the first queuemeans 602 and the second queue means 603.

Specifically, the sending queue control means 601 controls which of thefirst packets stored in the first queue means and the second packetsstored in the second queue means is to be sent by using at least one ofthe information regarding a sending path of the first packets or thesecond packets, information regarding a bandwidth required for sendingthe first packets or the second packets, information regarding a delayfrom sending of the sending packets from the arrival, and informationregarding a priority of the first packets or the second packets.

In normal state, the sending queue control means 602 controls the firstqueue means 602 and the second queue means 603 so as to output contentsdata such as MPEG-TS preferentially over general data. In other words,the sending queue control means 602 handles the encryption sending data,which is contents data, as preferred data which is given a priority overgeneral data.

The preferred data has at least one of data stream formats such as anuncompressed SD format signal defined by SMPTE 259M standard, anuncompressed HD format defined by SMPTE 292 standard, a transmissionstream format of DV or MPEG-TS by IEEE 1394 defined by IEC 61883,MPEG-TS format by DVB-ASI defined by DVB standard A010, MPEG-PS format,MPEG-ES format, and MPEG-PES format.

The sending queue control means 601 may any one of control scheme suchas RSVP scheme described with IETF RFC2205,RFC2208,RFC2209,Intservscheme described with IETF RFC2210, RFC2211,2212, RFC2215, and Diffserv scheme described with IETF RFC2474, RFC2475,RFC2597, RFC2598.

The framing means 409 uses the first packets or the second packetsrespectively output from the first queue means 602 and the second queuemeans 603 to produce a sending frame, and outputs the sending frame tothe network.

The sending queue control means 601 may control the first queue meansand the second queue means so as to average a period between the firstpackets to be sent from the first queue means 602 and the second packetsto be sent from the second queue means 603.

In general, when, MEPG-TS is transmitted from the sending apparatus tothe receiving apparatus with: a low delay, overflow is more likely tooccur since a buffer for MEPG-TS is small.

In the sending apparatus, when a buffer for MEPG-TS (for example, abuffer of the second queue means 603) nearly overflows, or it turn outthat a buffer for MEPG-TS in the receiving apparatus nearly underflowwith reference to information fed back from the receiving apparatus,such a crash of a buffer can be avoided by further increasing thepriority of the second queue means 603 adaptively so as topreferentially output data of MEPG-TS.

When the sending apparatus remotely operates the receiving apparatus,the priority of the first queue means 602 may be increased adaptively inthe sending apparatus in order to increase control response such asreproduction and stop of the receiving apparatus. However, in such acase, the buffer for the MEPG-TS may overflow or underflow.

Accordingly, for the sending apparatus to remotely operate the receivingapparatus so as to avoid overflow and underflow of the buffer, andincrease the speed of control response such as reproduction and stop ofthe receiving apparatus, a rapid control response can be realized byoutputting packets for remotely controlling the receiving apparatusdirectly from the packetization means 403 to the framing means 409without passing through the queue means. Alternatively, a rapid controlresponse can be realized by newly providing third queue means forpackets for remotely controlling the receiving apparatus.

The operation of the receiving apparatus is similar to that inEmbodiment 1.

Preferably, the sending queue control means 601 controls the first queuemeans 602 and the second queue means 603 such that the data rate of thesecond packets group does not become smaller than a predetermined value.Further, it is preferable that the sending queue control means 601controls the first queue means 602 and the second queue means 603 suchthat storage time in the second queue means 603 is always smaller thanthe predetermined value.

Embodiment 3

Embodiment 3 will be described.

FIG. 8 is a block diagram of a packets sending/receiving apparatus 401Baccording to Embodiment 3 of the present invention.

The packets sending/receiving apparatus 401B has a similar structure asthe packets sending/receiving apparatus 401A described with reference toFIG. 7 in Embodiment 2 except for that the packetization means 403includes first packetization means 701 and second packetization means702, and the packets reception means 405 includes a first packetsreception means 703 and second packets reception means 704. In thefollowing description, the first packetization means 701, secondpacketization means 702, the first packets reception means 703 and thesecond packets reception means 704 will be mainly described in order tosimplify the description.

First, how the receiving/sending apparatus 401B send a sending framewill be described.

The first packetization means 701 includes a processor, for example. Tothe first packetization means 701, the sending condition settinginformation and the AKE related information produced at the sendingcondition setting management means 404 are input. The firstpacketization means 701 produces first packets by performing a TCP/IPprotocol process on the sending condition setting information and theAKE related information with a software process using a processor toproduce first packets. The first packetization means 701 outputs thefirst packets to the first queue means 602.

The first packetization means 701 adds at least one header from RTCP,RTSP, HTTP, TCP, UDP, and IP, which are data process protocol defined bythe IETF document.

To the second packetization means 702, the encryption sending data,which is sending data such as MPEG-TS encrypted by the encryption means406, is input. The AKE related information may be input to the secondpacketization means 702. The AKE related information is, for example,copy control information, encryption update information, and the like.

The second packetization means 702 produces second packets by performingUDP/IP protocol process on the encryption sending data with a hardwareprocess. The second packetization means 702 outputs the second packetsto the second queue means 603.

The second packetization means 702 adds sequence number, or at least oneheader from RTP, UDP, HTTP, TCP, IP, which are data process protocolsdefined in the IETF document to the data.

As in Embodiment 2 described above, the sending queue control means 601controls that which of the packets in the first queue means 602 and thesecond queue means 603 is to be output when packets are temporarilystored in both the first queue means 602 and the second queue means 603.

How the sending/receiving apparatus 401B receives a reception frame willnow be described.

The frame reception means 410 receives a reception frame via thenetwork.

The frame reception means 410 filters IP packets from the receptionframe based on the MAC header.

When the IP packets is the same packets as the first packets produced atthe first packetization means 701, the IP packets are input to the firstpacketization means 701. When the IP packets are the same packets as thesecond packets produced at the second packetization means 703, the IPpackets are input to the second packetization means 704.

In the first packets reception means 703, a reception process of theTCP/IP protocol is performed with a software process using a processor.The packets reception information produced by the process is output tothe AKE means 402 or the reception condition setting management means408.

In the second packets reception means704, a reception process of UDP/IPprotocol is performed with a hardware process. Reception data extractedby the process is output to the decoding means 407. The decoding means407 decodes encryption of the reception data.

Next, the above-mentioned procedure will be further explained in detailusing a protocol stack of FIG. 9.

FIG. 9 is a schematic view for illustrating a protocol stack accordingto Embodiment 3 of the present invention.

The protocol stack shown in FIG. 9 has a similar structure as theprotocol stack described with reference to FIG. 6 except for the pointthat a transmissions layer of AV data such as MPEG-TS is UDP. Thus, Inthe following description, the point that the transmission layer is UDPwill be described.

In the sending apparatus, sending data (for example, MPEG-TS), which iscontents, is encrypted using encryption key Kc to produce encryptionsending data. The encryption sending data becomes a payload of UDPpackets by a hardware as AV data with the above-mentioned EMI and OIE.By adding a UDP header, UDP packets are produced. Further, the UDPpackets are used as a payload of the IP packets, and the IP packets areproduced by adding an IP header.

The EMI and OIE may be transmitted from the sending apparatus to thereceiving apparatus by, for example, producing other packets which areexclusively used. In such a case, decoding of the encryption key becomesfurther difficult. Eavesdropping and leakage of the contents can be mademore difficult. In the public network such as Internet, it is possibleto make eavesdropping and leakage of the contents can be made moredifficult by changing or sending as other packets an encryptionparameter of the AV data transmitted real time.

As for the management control data, similarly to example shown in FIG.6, the TCP packets are produced by a software process and the IP packetsare produced.

Ethernet™ MAC frame is transmitted from the sending apparatus toreceiving apparatus over the Ethernet™. In the receiving apparatus, anencryption key is produced in accordance with a predetermined procedure.An IP packets are filtered from the received Ethernet™ MAC frame.Further, UDP packets are extracted from the IP packets. Reception datais extracted from UDP packets. Using the encryption key Kc, receptiondata (for example, MPEG-TS) is decoded.

In a layer for processing the reception frame which is a lower layerthan a layer for processing encryption sending data and general data,preferred data and general data can be selected from communicationprotocol headers of the reception packets included in the receptionframe, and a process for the preferred data and a process for thegeneral data can be performed independently.

FIG. 10 is a schematic view showing an example of packets format whenpackets are produced using MPEG-TS, and a frame is produced fortransmission. In this example, MPEG-TS also conforms to ISO/IBC 13818.

The MPEG-TS input as an input stream is segmented in every 188 bytes. Atime code (TC) of 6 bytes may be added to MPEG=TS of 188 bytes to formaunit of 194 bytes. In this example, TC includes a time stamp of 42 bitsand a basis clock ID (BCID) of 6-bits.

The BCID can represent frequency information of the time stamp.

For example:

(Case 1) When BCID is 0x00, there is no frequency information of timestamp;

(Case 2) When BCID is 0z01, the frequency information of the time stampis 27 MHz (system clock frequency of MPE02);

(Case 3) When BCID is 0x02, the frequency information of the time stampis 90 kHz (clock frequency used with MPEG1);

(Case 4) When BCID is 0x03, the frequency information of the time stampis 24.576 MHz (clock frequency used with IEEE 1394); and

(Case 5) When BCID is 0x04, the frequency information of the time stampis 100 MHz (frequency used in Ethernet™).

Two units of data of 194 bytes are combined and encrypted to produceencryption data. Then, packets addition information of 2 bytes is addedto the encryption data. In this way, a payload of RTP protocol isformed.

In this example, the packets addition information includes encryptionmode indicator (EMI) of 2 bits, odd/even (O/E) of 1 bit, reserved dataof 13 bite and a time stamp or location information of 40 bits. EMI andO/E are defined by the DTCP scheme. Instead of O/E, seed information(Nc) of DTCP may be used.

The packets addition information producing means 411 (see FIG. 4) usesthe AKE related information to produce EMI and O/E.

The time stamp or the location information is produced in the packetsaddition information producing means 411 (see FIG. 4) using sendingcondition 'setting information, and is located following the reserveddata. The time stamp or the location information may also be locatedbetween the O/E and the reserved data.

The location information is information with an area specified by aregion code, address, postal code, or longitude and latitude.

In this example, the packets addition information is 7 bytes. However,the packets addition information is not limited to 7 bytes.

The packets addition information may not include the time stamp or thelocation information. In such a case, the packets addition informationbecomes 2 bytes.

When the packets addition information of 7 bytes is added to theencryption data, the payload of the RTP protocol is formed. When a RTPheader is added as a header, the RTP protocol is formed.

The RTP protocol is a payload of TCP packets or UDP packets. When a TCPheader or a UDP header is added, the TCP packets or the UDP packets areformed.

The TCP packet or the UDP packet is a payload of an IP packet. When anIP header is added as a header, the ID packet is produced.

Furthermore, the IP packets are a payload of a MAC frame. When anEthernet header is added as a header, Ethernet packets are produced.

As the Ethernet™ header, both a standard Ethernet™ header and aEthernet™ header extended with IEEE 802.1Q (VDAN) are applicable asshown in FIG. 10.

A standard Ethernet header is 14 bytes, and includes destination address(DA) of 6 bytes, source address (SA) of 6 bytes, and informationindicating length/type of 2 bytes.

An Ethernet header extended with 802.1Q is 18 bytes. The Ethernet headerextended with 802.1Q is different from a standard Ethernet header on thepoint that 802.1Q extended part of 4 bytes is provided between the SAand the information indicating the length/type.

The 802.1Q extended part includes tag control ID (TPID) of 2 bytes andtag control information (TCI) of 2 bytes which indicates VLAN priority.

TCI includes priority (user priority) of 3 bits, canonical formatindicator (CFI) of 1 bit and VLAN Identifier (VID) of 12 bits.

How to use priority is defined by ISO/IEC 15802-3. With a flag of thepriority, priority of the Ethernet™ frame can be set.

In this way, sending data (for example, MPEG-TS) is encrypted betweenthe sending apparatus and the receiving apparatus and real-timetransmission becomes possible. Further, since the second packetizationmeans is formed with a hardware, essentially, there is no un-sentsending packets or un-received reception packets due to a softwareprocess. Thus, all the preferred data packets are completely sent, andtransmission of high-quality image with a secured real-time propertybecomes possible.

Further, general data is temporarily stored in a buffer andintermittently transmitted while the preferred data is being transmittedpreferentially. The first packetization means 701 may be formed of areasonable processor such as microcomputers.

Further, with a hardware process, an Ethernet™ can be received and theIP header of the third layer and the UDP header of the fourth layer canbe checked at the same time in a reception process.

Packets of contents data (for example, MPEG-TS), which are preferreddata, and packets of general data are separated, and a process of thepackets of the contents data is performed with a hardware. Thus, thereis no un-received reception frame and a high-quality reception with areal time property secured can be performed.

By controlling the timing for sending packets, or percentage of sendingpackets from two queue means by a hardware instead of a software, itbecomes possible to completely control sending in a clock unit. In thisway, all the preferred packets can be completely sent and a high-qualitytransmission with a real-tame property secured becomes possible. Sinceshaping of the output packets is accurately performed in a clock unit, ahigh-quality communication with a very small percentage of packetsdropping at a router in a first stage or a switching hub.

Embodiment 4

FIG. 11 is a block diagram of a packets sending/receiving apparatus 401Caccording to Embodiment 4 of the present invention.

The packets sending/receiving apparatus 401C has a similar structure asthe packets sending/receiving apparatus 401B described with reference toFIG. 8 in Embodiment 4 except for the point that AKE means 402 includesDTCP information production means 1001, AKE command reception processmeans 1002, AKE command sending process means 1003, exchange keyproduction means 1004,encryption key production means 1005, encryptionkey change information production means 1006, and decoding keyproduction means 1007. Therefore, in the following description, theDTCP; information production means 1001, the AKE command receptionprocess means 1002, the AKE command sending process means 1003, theexchange key production means 1004, the encryption key production means1005, the encryption key change information production means 1006, andthe decoding key production means 1007 are mainly described.

In the packets sending/receiving apparatus 401C, encryption sending datais sent with the DTCP scheme in accordance with the following steps. Inthis embodiment, functions of both the source for sending packets andthe sink for receiving packets are described with reference to packetssending/receiving apparatus 401C. Please note that this is for the sakeof simplicity of the description, and packets are sent and receiving intwo different packets sending/receiving apparatuses actually.

(Step 1) Copy protection information representing an encryption state ofencryption sending data during transmission is input to the DTCPinformation production means 1001 as authentification and key exchangerelated information.

(Step 2) First, a request for sending data is generated in the sendingapparatus (source). The data protection mode information (EMI)information is output from the DTCP information production means 1001 tothe first packetization means 701. Sending packets are produced and thesending packets are sent from the sending apparatus.

(Step 3) The sending packets sent from the sending apparatus is receivedas reception packets in the receiving apparatus (sink). The AKE commandreception process means 1002 analyzes copy protection information of thedata received from the first packets reception means 703, and determineswhich of the authentification scheme, complete authentification orlimited authentification, is to be used. Then, the AKE command receptionprocess means 1002 sends an authentification request through the AKEcommand sending process means 1003.

(Step 4) A predetermined process of the DTCP scheme is performed betweenthe receiving apparatus and the sending apparatus is performed, and anauthentification key is shared.

(Step 5) Next, the sending apparatus sends an encryption exchange keyproduced by encrypting an exchange key using the authentification key inthe AKE command sending process means 1003 via the first packetizationmeans 701. In the receiving apparatus, an encryption exchange key isextracted by the AKE command reception process means 1002 and decoded toan exchange key in the exchange key production means 1004.

(Step 6) In the sending apparatus, seed information (O/E) which changesover time is produced in the encryption key production means 1005 forchanging an encryption key over time. The seed information is tent tothe receiving apparatus via the DTCP information production means 1001and the first packetization means 701.

(Step 7) In the sending apparatus, an encryption key is produced usingthe exchange key and the seed information in the encryption keyproduction means 1005. The encryption means 406 encrypts sending data(for example, MPEG-TS) using the encryption key and produces encryptionsending data. The encryption means 406 outputs the encryption sendingdata to the second packetization means 702.

(Step 8) In the receiving apparatus, the encryption key changeinformation production means 1006 receives seed information from thefirst packets reception means 703. The decoding key production means1007 uses the seed information and the exchange key of the exchange keyproduction means 1004 to produce an encryption key (decoding key).

(Step 9) In the receiving apparatus, the encryption key (decoding key)is used to decode the encrypted data in the decoding means 407.

FIG. 121 s a block diagram far illustrating packets processes in thefirst packetization means 701 and the second packetization means 702included in the packetization means 403, and the first packets receptionmeans 703 and the second packets reception means 704 included in thepackets reception means 405.

In the first packetization means 701, processes for forming the inputdata to an RTCP or RTSP protocol, a TCP or UDP protocol, and an IPprotocol is sequentially performed.

Further, when RTCP protocol (RFC1889) is used, communication sate of thenetwork such as effective bandwidth and delay time of the network issent from the receiving apparatus to the sending apparatus. The sendingapparatus can adjust the quality of the data to be transmitted with RTPin accordance with the communication state of the network over which ithas been sent and send the data.

The RTSP protocol (RFC2326) can send the control command such asreproduction, stop, forward and the like. It is also possible toreproduce data with the data being downloaded from an AV file.

In the second packetization means 702, processes for forming the inputdata into the RTP protocol, UDP protocol, and the IP protocol aresequentially formed to produce IP packets.

In the first packets reception means 703, a reception process of the IPprotocol, a reception process of the TCP or UDP protocol, and areception process of the RTCP or RTSP protocol such as filtering aresequentially performed. Thus, reception data included in the receptionpackets is extracted.

Further, in the second packets reception means 704, a reception processof the IP protocol, a reception process of the UDP protocol, and areception proves s of the RTP protocol such as filtering aresequentially performed to extract a reception data included in thereception packets.

In this way, data (for example, MPEGTS) is encrypted based on the DTCPscheme between the sending apparatus and the receiving apparatus andreal-time transmission becomes possible. Further, since the secondpacketization means is formed with a hardware, essentially, there is noun-sent sending packets or un-received reception packets due to asoftware process. The first packetization means with a small data amountmay be formed of a reasonable processor such as microcomputers.

Even when authentification between the receiving apparatus and thereceiving apparatus cannot be secured because any of the predeterminedconditions is not matched due to some reason, a least one of certificatewhich the sending apparatus or the receiving apparatus has previouslystored, information such as MAC address and biometric information forspecifying an individual such as fingerprint, iris and the like may beused for performing authentification between the sending apparatus andthe receiving apparatus.

Again, with reference to FIG. 11, in the case where authentification isperformed between the packets sending/receiving apparatus 401C, anddestination of the sending packets or the sending source of thereception packets, the AKE command reception process means 1002 of theauthentification and key exchange means 402 may function as verify meansfor verifying the information stored in the storage means andinformation regarding destination of the sending packets or informationregarding sending address of the reception packets when theauthentification is not secured since the storage means for temporarilystores information regarding the destination of the sending packets orthe sending source of the reception packets, the packetssending/receiving apparatus, and the destination of the sending packetsand the sending source of the reception packets do not match thepredetermined conditions.

In this way, two equipment authentificated one another within ahousehold can be specifically authentificated between remote places.Thus, transmission of data contents and remote transmission of datacontents between the household and a remote place such as traveldestination become possible.

Embodiment 5

FIG. 13 is a block diagram for illustrating packets processes in thefirst packetization means 701 and the second packetization means 702included in the packetization means 403A, and the first packetsreception means 703 and the second packets reception means 704A includedin the packets reception means 405A.

The packetization means 403A and the packets reception means 405A havesimilar structures as the packetization means 403 and the packetsreception means 405 described with reference to FIG. 12 on the pointthat the second packetization means 702 and the second packets receptionmeans 704A are different. Therefore, in the following description, thesecond packetization means 702A and the packets reception means 405 willbe mainly described.

The second packetization means 702A performs error correction process onthe data to be input and sequentially processes so as to form RTPprotocol, UDP protocol, and IP protocol to produce IP packets.

The second packets reception means 704A sequentially performs areception process of IP protocol, reception process of UDP protocol, andreception process of RTP protocol such as filtering, and further, anerror correction code process. Thus, error-corrected data is output.

FIG. 14 is a schematic view for illustrating a protocol stack accordingto Embodiment 5.

In the sending apparatus, an error correction coda is added to AV data(ECC encode), and passed to the UDP protocol. In the receivingapparatus, data is received and error-corrected with the UDP protocolprocess and becomes AV data for upper layers.

Examples of error correction schemes will be described with-reference toFIGS. 15 and 16.

FIG. 15 is a schematic view for illustrating an example where the errorcorrection scheme is a Reed-Solomon scheme.

FIG. 16 is a schematic view for illustrating an example where the errorcorrection scheme is a parity scheme.

In these examples, data (MPEG-TS) of two units is input to an errorcorrection interleave matrix. 2 bytes of the sequence number are usedfor each row.

Then, packets addition information of two bytes, for example, is usedand the RTP header, UDP header, IP header, Ethernet™ header are furtheradded to produce an Ethernet™ frame.

In this way, data (for example, MEPG-TS) can be encrypted based on theDTCP scheme between the receiving apparatus and the sending apparatusand an error correction code is added, and can be transmitted in areal-time manner. Further, since the second packetization means isformed with a hardware, essentially, there is no un-sent sending packetsor un-received reception packets due to a software process. The firstpacketization means with a small data amount may be formed of areasonable processor such as microcomputers.

Embodiment 6

FIG. 17 is a block diagram of a packets sending/receiving apparatus 401Daccording to Embodiment 6.

The packets sending/receiving apparatus 401 D has a similar structure asthe packet a sending/receiving apparatus 401C described with referenceto FIG. 11 except for the point that a receiving function of thereception data (for example, AV data such as MPEG-TS) is omitted.

FIG. 18 is a block diagram of a packets sending/receiving apparatus 401Eaccording to another example of Embodiment 6 of the present invention.

The packets sending/receiving apparatus 401E has a similar structure asthe packets sending/receiving apparatus 401C described with reference toFIG. 11 except for the point that a sending function of the sending data(for example, AV data such as MPEG TS) is omitted.

Omitting the receiving function or the sending function of data as suchcan be applied to all the packets sending/receiving apparatusesdescribed in Embodiments 1 through. Further, the present invention canalso be applied to equipment which performs only sending or reception.Thus, it is possible to try to reduce the cost.

In the above-described Embodiments 1 through 6, when packets aretransmitted over a communication network where the order of the packetsare not secured, such as, a general IP network, packets with thesequence number added may be sent and the order may be secured using thesequence number added to the packets in the receiving apparatus. Theorder can be secured at the fourth layer or higher of OSI model, inother words, with RTP protocol or video signal process.

The packets of the AV data which is subjected to a hardware process andtransmitted can be prevented from being fragmented in the network.Specifically, in the sending apparatus, the maximum size (MTU) notfragmented in the communication network is previously checked and thepackets are transmitted with the packet size equal to or smaller thanthe maximum size.

More specifically, the sending condition setting management means 404and the receiving condition setting management means 408 detects themaximum transmission packet size in a path from the sending destinationof the sending packet to the reception destination between sending andthe arrival of the sending frame. The maximum transmission packet sizeinformation is used to produce sending condition setting information orreceiving condition setting management means.

Alternatively, in the standard of RFC, it is defined all the terminalsshould be capable of handling IP packets of the size of 576 bytes. Thus,in most of network equipments such as a router, fragmentation does notoccur on the IP packets having the size equal to or smaller than this.Thus, it is enough if the packet size of the AV data to be subjected toa hardware process in the sending apparatus is adjusted. Whenfragmentation does not occur in packets of AV data to be subjected to ahardware process in the sending apparatus, if the received packets arefragmented, they can be all processed as general packets. When the sizeexceeds the maximum value of the IP packet of Ethernet™, fragmenting inthe sending apparatus is required. Accordingly, it is needless to saythat the seize should be equal to or smaller than the maximum size ofthe IP packet in order to prevent the preferred packets from beingfragmented.

When the percentage of fragmenting in the communication network is verysmall, a flag of fragmenting prohibition is added to IP header of thepackets of the AV data subjected to a hardware process in the sendingapparatus and transmitted and is sent. In this way, IP packet may bedropped in the situation where the router should fragment to alleviate aload of fragmenting process of the receiving apparatus. In this case,very small, number of packets is lost, but communication quality can becompensated by performing error correction or error retouch in thereceiving apparatus.

Further, in Embodiments 1 through 6, Ethernet™ is explained as aspecific example of communication protocols. However, the presentinvention is not limited to this.

Moreover, MPEG-TS is used as an example of video signal process inEmbodiments 1 through 6. However, the present invention is not limitedto this. As the input stream of the present invention, any streamregarding video and audio including MPEG-TS stream (ISO/IEC 13818) suchas MPEG1/2/4, and streams standardized by DV (IEC 61834, IEC 61883), DV(IEC 61834, IEC 61883), SMPTE 314M (DV-based), SMPTE 259M (SMI), SMPTE305M (SDTI), SMPTE 292M (HD-SDI) and the like are applicable.

The data rate of the video and audio is not limited to constant bit rate(CBR). It may be VBR. Furthermore, not only video and audio but generalreal time data, and any data as long as sent/received preferentiallyshould not be omitted from the present invention.

The data to be used in the present invention may be a file. When thedata is a file, it is also possible to transmit data more rapidly thanreal time under certain conditions based on the relationship betweenpropagation delay time between the sending apparatus and the receivingapparatus, and a processing property of the sending apparatus and thereceiving apparatus.

Further, a contents transmission scheme which is generally calledstreaming in the field of the Internet can also be realized. In contentstransmission of the streaming scheme, contents data is transmitted withTCP/IP or UDP/IP from the sending apparatus to the buffer of thereceiving apparatus via the network and the contents data is read out ata relatively constant rate from the buffer of the receiving apparatus,continuous data is reproduced in the receiving apparatus.

Further, the present invention is also applicable to GXF file format(SMPTE 360M) standardized by SMPTE (www.smpte.org) and encryptiontransmission of a file which conforms to a MXF file format which hasbeen promoted to be standardized.

Embodiment 7

Hereinafter, Embodiment 7 will be described.

FIG. 19 is a block diagram of a packets sending means 1101 according toEmbodiment 7 of the present invention.

In this example, the packets sending means 1101 corresponds to thepacketization means 403 and the framing means 409 described withreference to FIG. 4.

The packets sending means 1101 includes general data input means 1102,packetization information input means 1104, general data packetizationmeans 1105, buffer means 1106, valid data extraction means 1107,preferred data packetization means 1109, packets sending order controlmeans 1113, and a frame data sending means 1114.

In the packets sending means 1101, preferred data is input from prioritydata input means 1103 to the valid data extraction means 1107. The validdata extraction means 1107 removes invalid data component from the inputpreferred data and extracts a valid payload, and inputs valid data 1108to the preferred data packetization means 1109.

The preferred data packetization means 1109 corresponds to the secondpacketization means 702 of the packets sending/receiving apparatus 401Bdescribed with reference to FIG. 8.

The packets sending order control means 1113 corresponds to sendingqueue means 601 of the packets sending/receiving apparatus 401Bdescribed with reference to FIG. 8.

The process in the valid data extraction means 1107 includes bufferingof data, data bit number conversion, clock frequency conversion and thelike.

Specifically, the preferred data stream may be SDTI stream of SMPTE321 Mstandard, or the valid data may be DIF data of SMPTE314M standard.

Alternatively, the preferred data stream may be a DVB-ASI stream of A10Mstandard, or the valid data may be MPEG-TS packets of MPEG standard.

The preferred data packetization means 1109 produces a preferred datapackets using packetization information and the valid data 1108.

FIG. 20 is a schematic view for illustrating a protocol stack of thepreferred data packets.

The AV data shown FIG. 20 is preferred data to be input from thepreferred data input means 1103 in the present embodiment.

As shown in FIG. 20, by processing AV data, an Ethernet™ is produced.

On the other hand, general data is input to the general data input means1102. In general, the general data is data which does not have to besent in real time. The general data packetization means 1105 generatesgeneral data packets using the general data and outputs general datapackets. The general data input means 1102 functions as an interface ofdata.

The general data packetization means 1105 corresponds to the firstpacketization means 701 of the packets sending/receiving apparatus 401Bdescribed with reference to FIG. 8.

Examples of the general data include information regarding operationcontrol of the equipment described above, and management information ofSNMP, MIB, and the like. These are transmitted using TCP/IP or UDP/IP.

The general data packets output from the general data packetizationmeans 1105 is input to the buffer means 1106. The buffer means 1106temporarily stores the general data packets. When the general datapackets are stored in the buffer means 1106, the buffer means 1106notifies (asserts) the packets sending order control means 1113 of asending request signal 1110.

In general, for stream transmission of contents data such as video datain real time, video data has to be processed preferentially over a datawhich does not require a real time property.

The packets sending order control means 1113 permits sending of thegeneral data packets 1112 within the range which does not impair thereal-time property of the preferred data packets when the sendingrequest signal 1110 is asserted while it gives the priority to sendingof the preferred data packets. Sending permission permits sending of thegeneral data packets from the buffer means 1106 by asserting a sendingpermission signal 1111 to the buffer means 1106.

The frame data sending means 1114 uses sending packets input from thepackets sending order control means 1113 to produces an Ethernet™ frameand send as a sending frame to the network.

FIG. 21 is a schematic view for illustrating a sending timing chart inthe present embodiment. The scheme shown in the timing chart is asending control scheme of the preferred data packets and thenon-preferred data packets (general data packets), which is a key pointof the present embodiment.

In FIG. 21, sending start timing 2101 of the sending packets 2103, apulse waveform 2102 of the sending request signal 1110, and the sendingpackets 2103 are shown so as to correspond each other in a time-wisemanner.

In the sending start timing 2101, upward arrows indicate timings forsending the sending frames including the preferred data packets, anddownward arrows indicate timings in which sending frames includingnon-preferred data packets can be sent.

Further, the sending packets 2103 show the preferred data packets withblank rectangles and show the non-preferred data packets with solidrectangles.

In the present embodiment, the case where the preferred data as followsis sent will be described as an example. When the preferred data isDVCPR025 (defined by SMPTE314M), data of 120,000 bytes is generatedwithin a period of 1 frame in NTSC mode. Thus, the data rate is aconstant rate (CBR) of about 57.6 megabits/second (about 57.6 Mbps). Inthis example, video payload length of the AV data is 1200 bytes and thesystem clock is 27 MHz.

The percentage of the packets generation of the AV data which ispreferred data is 2997 packets/second (120,000/1,200=100 packets/frame).

Thus, only when the preferred data packets are transmitted, it is enoughif a packet is sent every 9009.9 clock (27000000/2997). In other words,9009.9 clock is average sending interval.

According to the present embodiment, by sending the preferred datapackets in an interval shorter than the average sending interval, atiming margin for sending non-preferred data packets (sending marginperiod) is generated.

Specifically, the sending interval of the preferred data packets is madeto be 8100 clock, and a sending margin period in which sending ofnon-preferred data packets can be permitted is generated for every ninepreferred data packets. When nine preferred packets are sent in 9009.9clock, 81089.1 clock (9009.9*9) are required. In this example, theaverage value is considered in order to simplify the discussion.However, the value after the decimal points is also used.

In the present embodiment, the packets are sent in an interval of 8100clock shorter than 9009.9 clock. Actually, 72900 clock (8100*9) isrequired.

Therefore, sending margin period for sending non-preferred data packetsis 8189.1 clock (81089.1−72900).

At the sending start timing 2001, an interval from an upward arrowindicating timing for sending preferred data packets to a next arrow is8100 clock. A timing for sending non-preferred packets appears in everynine preferred packets timing (2104, 2105, 2106). An interval between adownward arrow indicating a timing for sending non-preferred packets andnext arrow is 8189 clock.

As shown by the pulse waveform 2102, the sending request'signal 1110asserts the sending request'signal when general data to be sent isstored in the buffer means. In FIG. 21, the pulse waveform becomes High.

In the pulse waveform 2102, the sending request signal becomes high attiming 2107. Next, in the sending start timing 2101, the sendingpermission signal 1111 is asserted at timing it becomes a timing atwhich the general data packets can be sent (timing 2108) (not shown inFIG. 21), and general data packets 2111 are sent. The sending requestsignal 1110 is de-asserted at the timing when sending the general datapackets is started (timing 2108 of the pulse waveform 2102).

At the timing 2105, since the sending request signal 1110 is notasserted, general data packets to be sent does not exist in the buffermeans 106 and the general data packets are not sent at the timing 2105.

Next, the pulse waveform 2102 of the sending request signal 1110 isasserted again at timing 2109 and general data packets 2112 are sent attiming 2110. The sending request signal 1110 is de-asserted aftersending the general data packets 2112 is started (timing 2110 of thepulse waveform 2102).

When a plurality of general data packets are stored in the buffer means1106, even though general data packets are sent, the sending requestsignal 1110 is not asserted and the remaining general data packets aresent one by one at the next timing when the general data packets can besent. In this way, the preferred data packets are sent preferentially.

The sending packets are output from the packets sending order controlmeans 1113 to the frame data sending means 1114 as described above. Theframe data sending means 1114 uses the input reception packets toproduce an Ethernet™ frame which can be an interface with a physicallayer and transfers as a sending frame. In Ethernet™ of 10 Mbps and 100Mbps, MII standard interface is defined. In a gigabit Ethernet™, GMIIstandard interface is defined.

In the present embodiment, time for allocating sending control ofpreferred data packets and general data packets to the respectivepackets in a clock unit is determined. However, the present invention isnot limited to this. In the present invention, for example, a certainamount of preferred data packets may be stored in the buffer of thepreferred data packetization means 1109 and preferentially sent in thepackets sending order control means 1113 in a shorter time intervalcompared to that for an average packets production amount of thepreferred data packets, and sending may be allocated to general datapackets when the storage amount of the preferred packets in the bufferis equal to or smaller than a threshold level.

As described above, in the present embodiment, valid data may beextracted from the preferred data and may be sent preferentially overthe general packets as the preferred data packets.

FIG. 22 is a block diagram showing packets sending means 1101A accordingto a variation of Embodiment 7 of the present invention.

The packets sending means 1101A has a similar structure as the packetssending means 1101 described with reference to FIG. 19 except for thepoint that preferred data format information for indicating informationregarding the format of the preferred data is output via preferred dataformat information output means 1201. Therefore, in the followingdescription the preferred data format information output means 1201 willbe mainly described.

In the packets sending means 1101A, if packetization information of thepreferred data is set with an outside computer using format informationof the preferred data to be output, packets can be transmittedefficiently.

Embodiment 8

Hereinafter, Embodiment e will be described.

FIG. 23 is a block diagram of packets sending means 1101B according toEmbodiment 8.

The packets sending means 1101B includes a preferred data packetizationinformation production block 1301 and has a similar structure as thepackets sending means 1101 described with reference to FIG. 19 exceptfor that the preferred data format information is output from the validdata extraction means 1107 to the preferred data packetizationinformation production block 1301. Therefore, in the followingdescription, the preferred data packetization information productionblock 1301 will be mainly described.

Packetization information is input to the preferred data packetizationinformation production block 1301. The preferred data packetizationinformation production block 1301 uses the packetization information andthe preferred data format information to reset the packetizationinformation of the preferred data further optimally. In this way,optimal packetization information can be produced even when thepacketization information is produced roughly outside. Thus, packets canbe sent further efficiently.

According to the present embodiment, the preferred data formatinformation can be obtained from the valid data extraction means 1107 tobe used for determining the packetization parameter with thepacketization information input from outside. In this way, packetizationof the preferred data can be performed automatically in a unit of 80byte of DIF block when the preferred data is DV type, and a unit of 188bytes of TS packets when the preferred data is MPEG type.

FIG. 24 is a block diagram of packets mending means 1101C according to avariation of Embodiment 8 of the present invention.

The packets sending means 1101C has a similar structure as the packetssending means 1101B described with reference to FIG. 23 except for thepoint that maximum transfer unit (MTU) size input means 1401 isprovided. Therefore, in the following description, the MTU size inputmeans 1401 will be mainly described.

In the packets sending means 1101C, MTU size (maximum transmission size)is input from MTU size input means 1401. The MTU size means the maximumtransmission packet size of the preferred data in a transmission path.The preferred data packetization information production block 1301produces packetization information 1402 such that the side of thepreferred data packet produced at the preferred data packetization means1109 is equal to or smaller than the MTU size to be input. In this way,fragmenting in the preferred data sending can be prevented and stablecommunication of preferred data can be realized.

Embodiment 9

Hereinafter, Embodiment 9 will be described.

FIG. 25 is a block diagram preferred data packetization means 1109according to Embodiment 9.

The preferred data packetization means 1109 is included in the secondpacketization means 702 described with reference to FIG. 8 in Embodiment2.

The preferred data packetization means 1109 includes buffer means 1501,buffer means 1501, packet header production means 1503, and packetssynchronization means 1504.

In the preferred data packetization means 1109, the valid data 1108 isinput to the buffer means 1502 and counter means 1502. The valid data1108 includes a clock signal, data and data valid flag.

The buffer means 1501 stores data only when the data valid flag of thevalid data 1108 is asserted (valid).

Further the counter 1502 also counts a data amount of the valid data1108 and stores in the register inside.

On the other hand, the packetization information 1104 (1302, 1402) isinput to the packet header production means 1503. An UDP/IP header isproduced in the packet header production means 1503 and input to thepackets synchronization means 1504. Further, a payload length of apacket (for example, IP packet) is output from the packet headerproduction means 1503 to the counter 1502. A control signal far readingout the preferred data for the payload length is sent from the countermeans 1502 to the buffer means 1501.

The buffer means 1501 the preferred data of the payload length specifiedby the packet header production means 1503 to the packetssynchronization means 1504. The packets synchronization means 1504synchronizes the UDP/IP packet header produced at the packet headerproduction means 1503 and the preferred data of the specified payloadlength to produce a UDP/IP packet and outputs from the output means1505.

FIG. 26 is a block diagram of preferred data packetization means 1109Aaccording to a variation of Embodiment 9 of the present invention.

The preferred data packetization means 1109A has a similar structure asthe preferred data packetization means 1109 described with reference toFIG. 25 except for that a path 1601 through which information indicatinga payload length of the preferred data packets is input from the countermeans 1502 to the packet header production means 1503. Therefore, in thefollowing discussion, the path 1601 will be mainly described.

In the preferred data packetization means 1109A, information indicatingthe payload length of the preferred data packets is input from thecounter means 1502 to the packet header production means 1503 via thepath 1601. The packet header production means 1503 uses the inputpacketization information 1104 (1302, 1402) and packet payload length todetermine a packet header.

FIG. 27 is a block diagram of preferred data packetization means 1109Baccording to a variation of Embodiment 9 of the present invention.

The preferred data packetization means 1109B has a similar structure asthe preferred data packetization means 1109A described with reference toFIG. 26 except for that an error correction addition means 1701 isadded. Therefore, in the following discussion, the error correctionaddition means 1701 will be mainly described.

In the preferred data packetization means 1109B, a payload of thepreferred data packets is input from the buffer means 1501 to the errorcorrection addition means 1701. In the error correction addition means1701, a packet produced by adding an error correction code with a parityaddition scheme and a Reed-Solomon scheme which will be described isinput to the packets synchronization means 1504.

Example of the preferred data packets may be AV data represented in onedimension as shown in FIG. 20. However, two dimensional matrix data canbe also used as AV data.

FIG. 28 is a diagram showing packets structure when error correction isin Reed-Solomon scheme.

As shown in FIG. 28, error correction of Reed-Solomon scheme isperformed to AV data matrix located in byte units (8 bit units) on amatrix of m rows in a vertical direction (m is integer, for example, 48in FIG. 28) and n columns in a horizontal direction (n is integer, forexample, 1200 bytes in FIG. 28). A data matrix with error correctiondata of four rows added (1200 bytes in horizontal and 52 rows invertical) is produced. Data matrix is read one row at a time. The datawith the sequence number or the signal format information added asheader information may be preferred data packets.

FIG. 29 is a diagram showing packets structure when error correction isin a parity process scheme.

Parity calculation is performed to AV data matrix located in byte units(8 bit units) on a matrix of m rows in a vertical, direction (m isinteger, for example, 8 in FIG. 29) and n columns in a horizontaldirection (n is integer, for example, 1200 bytes in FIG. 29). A datamatrix with one row of parity data added is produced. Data matrix isread one row at a time. The data with the sequence number or the signalformat information added as header information may be preferred datapackets.

As an example of a matrix unit for producing preferred data packets areas follows. K number (k is an integer, for example, 5) of matrix of mrows in a vertical direction (m is an Integer, for example, 15), and nrows in a horizontal direction (n is an integer, for example, 80) isproduced, and a data interleave process in a row unit in the k number ofthe matrix, which is a process to embed data to the same row in the knumber of matrix one by one. When matrix data of m rows and n columns isembedded, parity calculation is performed in a vertical direction of thematrix and data matrix with one row of the parity data is added isgenerated. Then, k number of data in the first row in the k number ofdata matrix is read out and then k number of data in the second row of knumber of data matrix is read out to read out k number of data in m-throw of the k number of data matrix. The data with the sequence numberand signal format information added as header information may bepreferred data packets.

As described above, by adding error correction code to the preferreddata in the preferred data packetization means in the sending apparatus,it becomes possible to restore the preferred data in the receivingapparatus even when a packet loss is generated in the network.

Embodiment 10

Hereinafter, Embodiment 10 will be described.

FIG. 30 is a block diagram of packets sending means 1101D according toEmbodiment 10 of the present invention.

The packets sending means 1101D has a similar structure as the packetssending means 1101B described with reference to FIG. 23 except for thepoint that encryption information input means 1011 and encryptioninformation input means 1012 in the preferred data packetization means1109C are provided.

FIG. 31 is a block diagram of the preferred data packetization means1109C according to Embodiment 10 of the present invention.

The preferred data packetization means 1109C has a similar structure asthe preferred data packetization means 1109B described with reference toFIG. 27 except for the point that encryption information input means1012 and encryption means 1122 are provided.

Therefore, in the following description, the encryption informationinput means 1011, the encryption information input means 1012 in thepreferred data packetization means 1109C, and encryption means 1121 aremainly described.

The encryption means 1122 corresponds to encryption means 406 of thepackets sending/receiving apparatus 401 with reference to FIG. 4.

In the packets sending means 1101D, encryption information is input fromthe encryption information input means 1011 to the encryptioninformation input means 1012 in the preferred data packetization means1109C.

In the preferred data packetization means 1109C, data output from thebuffer means 1501 is input to the encryption means 1122 and encryptedusing the encryption information input from the encryption input means1011. The data encrypted at the encryption means 1122 is input to theerror correction addition means 1701.

Information used for encryption is information produced by using atleast one of unique information of the sending apparatus (equipment ID,authentification information equipment, MAC address, and the like),private key, public key. By combining encryption scheme with a highencryption strength, a strong copyright protection with respect to thepreferred data packets can be provided.

Regarding encryption scheme, for example, encryption key Kc used indigital transmission content protection (DTCP) may be applied. Forproducing the encryption key Kc, authentification process based on theDTCP scheme is performed in the sending apparatus and the receivingapparatus. The process is a known process and is described in, forexample, Digital Transmission Licensing Administrator (DTLA) (HPERLINK“http://www.dtcp.com/”, http://www.dtcp.com/”,http://www.dtcp.com/data/dtcp_tut.pdf”) and a book “IEEE1394, AVkikiheno ouyou (IEEE 1394, Application to AV equipment)”, edited byShinji Takada, The Nikkan Kogyo Shimbun Ltd., “Chapter 8, Copyprotection”, pp. 133-149. Further, as authentification information,certificate information appropriately authentificated in a public orprivate certify organization via the network and the like can be used.For example, reference can be made in a governmental authentificationbasis (HYPERLINK http://222.gpki.go-jp/; http://gpki.go.jp/).

As described above, for UDP/IDP packets transmission of the preferreddata in the sending apparatus, the preferred data is encrypted and errorcorrection is added. Even when a packet loss is generated in thenetwork, the preferred data can be restored in the receiving apparatus.Also, the eaves dropping and leakage of data over the network can beprevented and AV data transmission with a copyright protected and a highsecurity can be realized.

Embodiment 11

Hereinafter, Embodiment 11 will be described.

FIG. 32 is a block diagram of preferred data packetization means 1109Daccording to Embodiment 11 of the present invention.

The preferred data packetization means 1109D has a similar structure asthe preferred data packetization means 1109C described with reference toFIG. 31 except for the point that encryption information switching means1221 is provided. Therefore, in the following description, theencryption information switching means 1221 will be mainly described.

In the preferred data packetization means 1109D, encryption informationchanges over time is input to the encryption information switching means1221 via the encryption information input means 1012. The encryptioninformation switching means 1221 switches the encryption informationused in the encryption means 1122.

An example of a switching timing of the encryption information may be atiming for switching in an error correction matrix unit obtained fromthe error correction addition means 1701. In this way, encryptionstrength of the communication between the sending apparatus and thereceiving apparatus is further enhanced and the decoding of theencryption can be steadily realized.

The buffer means 1501 and the encryption means 122 of the preferred datapacketization means 1109D corresponds to the encryption means 406 of thepackets sending/receiving apparatus 401B described with reference toFIG. 8. The Counter means 1502 of the preferred data packetization means1109D, the packet header production means 1203 and the encryptioninformation switching means 1221 correspond to a part of the AKE means402 and a part of the sending condition setting management means 404 ofthe packets sending /receiving apparatus 401B described with referenceto FIG. 8. The packet header production means 1203 and the errorcorrection addition means 1701 of the preferred data packetization means1109D correspond to the sending condition setting management means 404,the second packetization means 702 and a part of the encryption means406 of the packets sending/receiving apparatus 401B described withreference to FIG. 8. Particularly, the error correction addition means1701 of the preferred data packetization means 1109D corresponds toerror correction addition means of the second packetization means 702Adescribed with reference to FIG. 13.

FIG. 33 is a schematic view for illustrating a switching timing forencryption.

As shown in FIG. 33, encryption information to be input to theencryption information switching means 1221 is switched when the errorcorrection matrix is switched.

A timing for using for encryption key exchange is a timing generated insynchronization with an endpoint or a start point of the errorcorrection matrix.

As described above, by rendering a phase of the error correction matrixto a switching phase, it becomes possible to operate decoding ofencryption smoothly while encryption strength is being increased.

The switching phase of the encryption key may be a specific value of thesequence number defined in the packet header. For example, when there isno error correction, the sequence number is an integer from 0 to 63, anda timing when the sequence number is updated from 63 to 0 may be used asthe switching phase for the encryption key.

Furthermore, the encryption key to be input to the encryptioninformation switching means 1221 may be input to the encryptioninformation switching means 1221 while being switched at the specifiedtiming, and the encryption key in the encryption information switchingmeans 1221 may be switched in a specified interval.

Further, when a protocol other than UDP/IP, for example, TCI/IP is usedfor sending packets, the sequence number of the TCP segment included inthe TCP header can also be used. The TCP protocol is defined by IETF,RFC793.

Embodiment 12

Hereinafter, Embodiment 12 will be described.

FIG. 34 is a block diagram of preferred data packetization means 1109according to Embodiment 12 of the present invention.

The preferred data packetization means 1109E has a similar structure asthe preferred data packetization means 1109D described with reference toFIG. 32 except for the point that a table of correspondence betweenformats and port numbers 1401 is provided. Therefore, in the followingdescription, the table of correspondence between formats and portnumbers 1401 will be mainly described.

In the preferred data packetization means 1109E, the packets headerproduction means 1203 further makes correspondence between the preferreddata format information and the UDP port number in addition to theabove-described function. The preferred data format information isIncluded in the packetization information 1104.

In the table of correspondence between formats and port numbers 1401,format information used by the preferred data is stored. From the formatinformation in the packetization information 1104 to be input, a UDPport number is determined. The packet header production means 1203produces UDP/IP packet by using the UDP port information.

In this way, format can be detected by only detecting the port number inthe receiving apparatus. Thus, a signal process in the receivingapparatus can be readily performed. Furthermore, even when two streamsare received at the same time in the receiving apparatus which canhandle two lines of stream process, the format or channel can beidentified by the port number.

Embodiment 13

Hereinafter, Embodiment 13 will be described.

FIG. 35 is a block diagram of a packets sending system 2000 which isapplied to IEEE 1394 stream transmission according to Embodiment 13 ofthe present invention. The packets sending system 2000 is included inthe packets sending/receiving apparatus 401 described with reference toFIG. 4 in Embodiment 1.

In the packets sending system 2000, separation means 1552 separates thegeneral data and the preferred data from the IEEE 1394 stream. In thisexample, the general data is an asynchronous signal and the preferreddata is an isochronous signal.

FIG. 36 is a block diagram showing a packets sending system 2500 appliedto a transmission of SDI/SDTI/DVS-ASI stream according to Embodiment 13of the present invention.

In the packets sending system 2500, control and management signals inputfrom RS232C, RRS422 and the like are used as general data, and dataseparated from SDI/SDTI/DVB-ASI stream is used as the preferred data.

FIG. 37 is a block diagram of a packets sending/receiving apparatus1101E according to Embodiment 13.

To the packets sending/receiving apparatus 1101E, packets sending means101 according to Embodiment 7 described with reference to FIG. 19 isapplied.

A sending operation is similar to the operation described inabove-described Embodiments 7 through 13. As a reception process, first,general data packets and priority data packets are separated from thereception frame, and general data and preferred data are respectivelydecoded therefrom and output.

In above-described Embodiments 7 through 13, packets are sent over acommunication network where the order of the packets is not secured, theorder may be secured by using the sequence number added to the packetsin the receiving apparatus. Alternatively the order maybe secured in avideo signal process in the following stage.

When it is not desired to perform fragmentation process for thepreferred packets on the receiving, the maximum size (MTU),which is notfragmented on the communication network is previously checked on thesending side in a process at an application level, and the packets maybe transmitted at a certain fragmentation size. Alternatively, in thestandard of RFC, it is defined all the terminals should be capable ofhandling IP packets of the size of 576 bytes. Thus, in most of networkequipments such as a router, fragmentation does not occur on the IPpackets having the size equal to or smaller than this. Thus, it isenough if the preferred packets are produced such that the size of theIP packet is equal to or smaller than 576 bytes. When fragmentation doesnot occur in the preferred packets, if the received packets arefragmented, they can be all processed as general packets. When the sizeexceeds the maximum value of the IP packets of Ethernet™, fragmenting inthe sending terminal is required. Accordingly, it is needless to saythat the size should be equal to or smaller than the maximum size of theIP packets in order to prevent the preferred packets from beingfragmented.

When the percentage of fragmenting in the communication network is verysmall, a flag of fragmenting prohibition is added to IP header of thepackets of the preferred packets and transmitted. In this way, IPpackets may be dropped in the situation where the router should fragmentto alleviate a load of fragmenting process of the receiving terminal. Inthis case, very small number of packets is lost, but communicationquality can be compensated by performing error correction or errorretouch on the receiving end.

Further, in Embodiments 7 through 13, Ethernet™ is explained as aspecific example of communication protocols. However, the presentinvention is not limited to this.

Also, image compression and extension is described as an example of avideo signal process. However, the example where image is not compressedis not excluded from the scope of the present Invention. The examplewhere data with an image being previously compressed with a scheme suchas MPEG and the like is input is not excluded from the scope of thepresent invention.

Any apparatus which sends/receives real time data such as audio ratherthan video, or performs sending/reception preferentially is not excludedfrom the present invention.

In Embodiments 7 through 13, a video signal of a constant bit rate (CBR)is describe as air example. However, the preferred data is not limitedto CBR.

The preferred packets are subjected to a hardware process and thegeneral packets are subjected to a CPU process. However, the presentinvention is not limited to this as long as a process speed is fastenough.

The above description is provided for enabling those skilled in the artto perform the present invention or use the present invention. Variousmodifications of the embodiments are apparent to those skilled in theart. A comprehensive principle clarified in the present specificationmay be applied to other embodiments without requiring any otherinvention. Therefore, the present invention is not intended to belimited to the embodiments shown in the present specificaton, butintended to match the broadest scope which conforms to the principle andnovel featured disclosed in the present specification.

INDUSTRIAL APPLICABILITY

According to the present invention, a packets sending/receivingapparatus includes AKE means for securing sending data, encryption meansfor the sending data, packets addition information production means foradding AKE information or sending control information to the encrypteddata, means for extracting addition information such as the AKEinformation or the sending control information from reception packets,decoding means of the encrypted data, sending condition settingmanagement means for setting appropriate packets sending condition basedon a packets reception state fed back from a sending destination of thesending packets, packetization means, packets reception means, andsetting management means of the reception condition.

In this way, the DTCP scheme may be implemented to an IP protocol, whichis a standard protocol of the Internet. Further, it is possible totransmit packets (for example, IP packets) via a network whaleprotecting confidentiality and copyright of the data by encrypting an AVdata stream such as MPEGTS and to decode into an original signal in thereceiving apparatus.

According to one embodiment of the present invention, packetssending/receiving means classifies the sending packets into generalpackets and packets to be preferentially sent and inputs the generalpackets to first data queue means and the packets to be preferentiallysent to second data queue means. Then, sending queue control meanscontrols the sending order of the packets temporarily stored in thefirst data queue means and the second data queue means.

In this way, data with higher real-time property can be preferentiallysent while the confidentiality and the copyright of the data is beingtried to be protected. When the input stream is a plurality of streamsof two channels or more, they can be supported by classifying signalsregarding the respective streams into the preferred data and the generaldata.

According to one embodiment of the present invention, the packetizationmeans include first packetization means and second packetization means.In this embodiment, general data such as AKE related informationregarding AKE setting is input to the first packetization means.Encryption sending data produced in the encryption means and the AKErelated information is input to the second packetization means in whichpacketization by a hardware is performed. The AKE related information isupdate information of copy control information and encryption keyupdated information. An output from the first packetization means isinput to the first data queue means, and an output from the secondpacketization means is input to the second data queue means. When acommand for preferentially outputting a signal temporarily stored in thesecond data queue means is output from the sending condition settingmanagement means to the sending queue control means, the encrypted datais preferentially output.

If the second data queue means is controlled to avoid an overflow assuch, real time transmission of data contents can be realized between asending apparatus and a receiving apparatus since there is a buffer ofan appropriate size in the receiving apparatus. When data is encryptedand transmitted in a real-time manner between the sending apparatus andthe receiving apparatus, there is no trouble such as un-sent sendingpackets,: or un-received reception packets generated because thesoftware process cannot be in time since the second packetization meansis formed of a hardware. Further, since the first packetization meanswith a small data amount can be formed of reasonable microcomputers andthe like, the cost can be reduced.

According to one embodiment of the present invention, in the packetssending/receiving means, the AKE means conforms to a process proceduredefined by the DTCP scheme, and the AKE means includes encryption keyproduction means, DTCP information production means, AKE command sendingprocess means, AKE command reception process means, exchange keyproduction means, encryption key change information production means,and decode key production means. The encryption key production meansproduces encryption key, and inputs the produced encryption key to theencryption means to set an encryption operation. AKE informationproduction means uses copy control information input from outside andkey update information to be input from the encryption key productionmeans to produce AKE related information. The AKE command sendingprocess moans receives the encryption key from the encryption keyproduction means, an AKE parameter from outside, and an AKE commandinformation from the AKE command reception process means and producesand outputs the AKE sending command. The AKE command reception processmeans receives the AKE getting control information from the firstpacketization means and outputs setting control information respectivelyto the AKE sending processing means, the exchange key production means,and the encryption key change information production means. Theencryption key change information production means produces encryptionkey change information using information from the AKE command receptionprocess means and the first packets reception means. The decoding keyproduction means outputs a decoding key and outputs to the decodingprocess using the information from the exchange key production means andthe encryption key change information production means.

Accordingly, it becomes possible to encrypt the AV data stream such asMPEG-TS and transmit in a real-time manner using the AKE means whichconforms to the DTCP scheme. In this way, it becomes possible to try toprotect the copyright of data.

According to one embodiment of the present invention, in the packetssending/receiving means, the second packetization means to which theencryption sending data produced at the encryption means and AKE relatedinformation (for example, copy control information and/or updateinformation of the encryption key) are input includes an errorcorrection code addition means therein. Thus, an error correction codeis added.

Accordingly, it becomes possible to restore the sending data by errorcorrection in the receiving apparatus every when a packet loss or a biterror is generated at an IP network. Further, the second packetizationmeans and second packets reception means can be more readily formed ofhardware.

According to one embodiment of the present invention, regardingtransmission of AV contents using the network, data eavesdropping overthe network can be prevented and data transmission with a high securitycan be realized. Accordingly, even when a public network such as theInternet is used for a transmission path, eavesdropping and leakage ofthe preferred data (AV data) to be transmitted in a real-time manner.Moreover, it becomes possible to sell and charge on AV data transmittedvia the Internet and the like, and selling contents distribution of B-B,B-C with a high security becomes possible.

According to one embodiment of the present invention, when atransmission process of the AV contents with a hardware is performed,general data packets are subjected to a software process using CPU,conventionally. By adding a software, data such as managementinformation and/or control information maybe transmitted as the generaldata. Since the data amount is very small compared to the amount ofpreferred data, reasonable microprocessors such as microcomputers can berealized and a system of a low cost can be realized. Further, since anexpensive CPU and/or large-scale memory is not required for a protocolprocess of a high-load and high-transmission rate preferred packets, anapparatus with a high-function can be provided at a low cost in view ofthis point.

In one embodiment of the present invention, the preferred packets to besent preferentially and the general packets with a lower sendingpriority compared to the preferred packets are multiplexed on the timeline and sent. An average sending data rate of the preferred data in thepreferred packets to be sent is controlled, for example, to send packetsat a speed equal to or higher than the average input rate using ahardware for an exclusive use. A protocol process of data which requiresreal-time property such as video signal is performed by a hardwareprocess is performed without depending on a software process by a CPU.Thus, there is no trouble that the process cannot be in time, whichoccurs in a software process, does not occur. Accordingly, all thepreferred data packets are completely sent, and the transmission ofhigh-quality image with secured real-time manner becomes possible.

The general data is temporarily stored in the buffer means, andintermittently transmitted while the preferred data is preferentiallytransmitted. In this example, when the transmission rate of the generaldata is 1 Mbps or lower, transmission process of the general data ispossible using processors such as reasonable CPU and/or microcomputers.

Regarding the preferred data input as a stream, invalid data portion ofthe stream is removed and only a valid data is used to produce packetsbased on packetization information. In this example, when the UDP/IP isused as a communication protocol, IP address as an address, and UDP portnumber as a subaddress are used as a header.

Furthermore, since sending timings (sending percentage) of the preferredpackets and the general packets are controlled by not a software but ahardware. Thus, it is completely controllable in clock units. All thepreferred packets are completely sent, and the transmission ofhigh-quality with the real-time property being secured becomes possible.Since the shaping is also performed accurately in clock units,communication with very high quality with a very small occurrence ofpackets dropping at the router in the first stage. Headers of IP (thirdlayer) and UDP (Fourth layer are checked at the same time on the layerof the Ethernet™ frame (second layer), and the process of the preferredpacket is performed with a hardware. Thus, there is not an-receivedframe, and the high-quality communication with the real-time propertysecured becomes possible.

According one embodiment of the present invention, not only thepreferred data and the general data is sent, but also preferred dataformat information is obtained from the valid data to be used fordetermining a packetizing parameter with the packetizing informationinput from the outside. In this way, the automation of packetizing thepreferred data can be performed in a unit of 80 bytes of DIF block whenthe preferred data is DV type, and in a unit of 188 bytes of TS packetswhen the preferred data is MPEG type. Thus, the structure of thesending/receiving apparatus can be made simple.

According one embodiment of the present invention, the preferred datacan be restored in the receiving apparatus even when the packet loss isgenerated over the network by adding the error correction code to thepreferred data in the preferred data packetization means in the sendingapparatus.

According to one embodiment of the present invention, a transmissionerror protection function in the preferred data packetization meanswithin the sending apparatus can be realized. Specifically, by adding anerror correction code after the preferred data is encrypted, even when apacket lose is generated in the network, the preferred data can berestored in the receiving apparatus. Moreover, data transmission whichcan prevent data eavesdropping on the network and has a high security isrealized. In this way, even though a public network such as Internet isused as a transmission path, eavesdropping and leakage of the preferreddata (AV data) to be real-time transmitted can be prevented. Moreover,it becomes possible to sell and charge on AV data transmitted via theInternet and the like, and selling contents distribution of B-B, B-Cwith a high security becomes possible.

According to one embodiment of the present invention, eavesdropping andleakage of the preferred data (AV data) to be real-time transmitted canbe made more difficult by switching the encryption key which performsencryption. By rendering a phase of the error correction matrix to aswitching phase, it becomes possible to switching of the encryption keycan be performed smoothly. In the public network such as an Internet,since an encryption parameter of the AV data to be transmitted in areal-time manner changes, eavesdropping and leakage of the contents canbe strongly prevented.

According to one embodiment of the present invention, a signal processin the receiving apparatus can be made easier. Since a table whichdetermines a combination of the formats of the preferred data and/orchannel number and a port number is provided in the sending apparatusand the receiving apparatus, a format can be detected by only detectinga port number of the receiving apparatus. Thus, a signal can be readilyprocessed in the reception apparatus. Further, when the two streams arereceived at the same time in the receiving apparatus in which two linesof stream processes are possible, it is possible to identify a format orchannel with the port number.

According to one embodiment of the present invention, the generalpackets only perform a software process as in conventional art. Thus, byadding only a software, data such as management data and the controldata can be transmitted a as the general data. Since these data amountsare very small compared to the preferred data amount, they can berealized with reasonable microprocessors such as microcomputers, andthus, a system with a low cost can be realized. Further, since anexpensive CPU and/or large-scale memory is not required for a protocolprocess of a high-load and high-transmission rate preferred packet, anapparatus with a high-function can be provided at a low cost in view ofthis point.

1-51. (canceled)
 52. A packets sending/receiving apparatus for sendingsending packets and receiving reception packets, comprising:authentification and key exchange means for producing an encryption keyand a decoding key; encryption means for producing an encryption sendingdata by encrypting sending data using the encryption key; sendingcondition setting management means for producing sending conditionsetting information for setting sending condition of the sending packetusing at least one of sending condition related information,sending/reception management information, receiving condition settinginformation; packetization means for producing the sending packet usingthe encryption sending data; receiving condition setting managementmeans for producing receiving condition setting information for settingreceiving condition of the reception packets using at least one ofreceiving condition related information and packets receptioninformation; packets reception means for receiving the receptionpackets, which extracts reception data included in the reception packetsfrom the reception packets using the receiving condition settinginformation and produces the packets reception information from thereception packets, and outputs the packets reception information to theauthentification and key exchange means or the received conditionsetting management means; decoding means for decoding the reception datausing the decoding key; first queue means for temporarily storing afirst packets group produced at the packetization means; second queuemeans for temporarily storing a second packets group produced at thepacketization means; sending queue control means for controlling whichof the first packets group stored in the first queue means and thesecond packets group stored in the second queue means is to be sentbased on the sending condition setting information; framing means forproducing a sending frame by framing the first packet output from thefirst queue means and the second packets output from the second queuemeans; and a frame reception means for extracting the reception packetsfrom a reception frame, wherein the sending queue control means controlsthe first queue means and the second queue means so as to output thesecond packets stored in the second queue means such that an amount ofthe second packets stored in the second queue means does not exceed apredetermined amount.
 53. A packets sending/receiving apparatusaccording to claim 52, wherein: the packetization means includes firstpacketization means and second packetization means; the firstpacketization means produces a first packets group using at least one ofthe sending condition setting information, and the authentification andkey exchange related information; the second packetization meansproduces the second packets group using at least one of the sendingcondition setting information, authentification and key exchange relatedinformation, and the encryption sending data.
 54. A packetsending/receiving apparatus according to claim 53, wherein: thepacketization means converts the encryption sending data into apredetermined size and adds an IP header defined as IPv4 or IPv6 inIETF; the first packetization means is formed of a software, and thesecond packetization means is formed of a hardware.
 55. A packetssending/receiving apparatus according to claim 53, further comprising:data separation means for separating the reception data into preferreddata and general data; the encryption means encrypts the preferred data;and the first packetization means produces a first packet using thegeneral data.
 56. A packets sending/receiving apparatus according toclaim 55, wherein the first packetization means adds at least one headerof RTCP, RTSP, HTTP, TCP, UDP, and IP, which are data process protocolsdefined in the IETF document.
 57. A packet sending/receiving apparatusaccording to claim 55, wherein the second packetization means adds asequence number to data, or adds at least one header of RTP, UDP, HTTP,TCP, and IP, which are data process protocols defined in the IETFdocument.
 58. A packet sending/receiving apparatus according to claim55, wherein the preferred data is in an uncompressed SD format signaldefined by SMPTE 259M standard, an uncompressed HD format defined bySMPTE 292M standard, a transmission stream format of DV or MPEG-TS byIEEE 1394 defined by IEC 61883 standard, MPEG-TS format by DVB-ASI,MPEG-PS format, MPEG-ES format, and MPEG-PES format, or a data fileformat.
 59. A packets sending/receiving apparatus according to claim 55,wherein the sending queue control means controls the first queue meansand the second queue means such that data rate of the preferred datadoes not become smaller than a predetermined value.
 60. A packetssending/receiving apparatus according to claim 59, wherein the sendingqueue control means controls the first queue means and the second queuemeans such that the time for the preferred data to be stored in thesecond queue means is always smaller than a predetermined value.
 61. Apackets sending/receiving apparatus according to claim 59, wherein: thesecond packetization means includes a buffer means for temporarilystoring data, a counter means for counting a length of the data, apackets header production means for producing a packets header of thesecond packets group, and packets synchronization means forsynchronizing packets by combining the packets header and a payloadoutput from the buffer; and the packets header production meansspecifies a payload length of the second packets group, reads out thedata stored in the buffer means, and inputs to the packetssynchronization means.
 62. A packets sending/receiving apparatusaccording to claim 59, wherein: the second packetization means includesbuffer means for temporarily storing data extracted from the preferreddata, counter means for counting a length of the data, packets headerproduction means for producing packets headers using packetizationinformation, and packets production means for producing packets bycombining the packets header and a payload; and the counter meansoutputs control data for reading out data which corresponds to a payloadlength from the buffer means.
 63. A packets sending/receiving apparatusaccording to claim 59, wherein: the second packetization means includesbuffer means for temporarily storing data, counter means for counting alength of the data, packets header production means for producingpackets headers using packetization information, error correctionaddition means for adding error correction to the data, and packetssynchronization means for synchronizing the packets header and the datawith the error correction added; and the counter means outputs controldata for reading out data which corresponds to a payload length from thebuffer means.
 64. A packets sending/receiving apparatus according toclaim 59, wherein, in a layer for processing a reception frame of alayer lower than layers on which the preferred data and the general dataare processed, the preferred data and the general data are selected fromthe communication protocol header of the reception packets included inthe reception frame, and a process for the preferred data and a processfor the general data are independently performed.
 65. A packetssending/receiving apparatus according to claim 53, wherein the secondpacketization means includes error correction code addition means.
 66. Apackets sending/receiving apparatus according to claim 65, wherein ascheme of the error correction code used in the error correction codeaddition means is Reed-Solomon scheme or parity scheme.
 67. A packetssending/receiving apparatus according to claim 53, wherein informationindicating the encryption key outputs decoding information of theencryption key from the framing means before the sending packetsencrypted with the encryption key is output in the framing means.
 68. Apackets sending/receiving apparatus according to claim 67, whereininformation indicating the encryption key is sent before the time ofreception of a reception frame which corresponds to the sending framefrom sending of the sending frame with respect to the time when thesending packets including the encryption sending data produced using theencryption key is sent.
 69. A packets sending/receiving apparatusaccording to claim 53, wherein the second packetization means includesan encryption switching means, inputs the encryption key to be input tothe encryption key switching means to the encryption means whileswitching the encryption key at a specified timing, and switches theencryption key in the encryption means in a specified interval.
 70. Apackets sending/receiving apparatus according to claim 69, whereintiming used for the encryption key switching is timing generated insynchronization with a predetermined sequence number in a packet header,which is an output for the packet header production means.
 71. A packetssending/receiving apparatus according to claim 69, wherein the timingfor the authentification and key exchange means to update the decodingkey is updated for every HTTP request when the sending packets use HTTP.72. A packets sending/receiving apparatus according to claim 69, whereinthe timing for the authentification and key exchange means to update thedecoding key is changed for every certain amount of data when thesending packets use HTTP.
 73. A packets sending/receiving apparatusaccording to claim 69, wherein timing for the authentification and keyexchange means to update the decoding key is updated within apredetermined period when the sending packets use RTP.
 74. A packetssending/receiving apparatus according to claim 69, wherein timing usedfor the encryption key switching is timing generated in synchronizationwith an endpoint and a start point of an error correction matrix.
 75. Apackets sending/receiving apparatus according to claim 52, wherein thesending queue control means controls which of the first packets groupstored in the first queue means and the second packets group stored inthe second queue means is to be sent using at least one of informationregarding a sending path of the first packets group or the secondpackets group, information regarding a bandwidth required for sendingthe first packets group or the second packets group, informationregarding delay from sending to arrival of the sending packets, andinformation regarding priority of the first packets group or the secondpackets group.
 76. A packets sending/receiving apparatus according toclaim 75, wherein the sending queue control means uses one of controlschemes of RSVP scheme described with IETF rfc2205, rfc2208, rfc2209,Intserv scheme described with IETF rfc2210, rfc2211, 2212, rfc2215, andDiffserv scheme described with IETF rfc2474, rfc2475, rfc2597, rfc2598.77. A packets sending/receiving apparatus according to claim 52, whereinthe sending queue control means controls the first queue means and thesecond queue means so as to select one of the first packets group storedin the first queue means and the second packets group stored in thesecond queue means is to be sent and preferentially outputs the selectedpackets.
 78. A packets sending/receiving apparatus according to claim52, wherein the sending queue control means controls the first queuemeans and the second queue means so as to average intervals between thefirst packets group sent from the first queue means and the secondpackets group sent from the second queue means.
 79. A packetssending/receiving apparatus according to claim 52, wherein the receivingcondition setting management means and the receiving condition settingmanagement means detect the maximum transmission packet size in a pathfrom a sending destination of the sending packet and a receiving addressbetween sending and arrival of the sending frame, and produces thesending condition setting information and the receiving conditionsetting information using the maximum transmission packet sizeinformation.
 80. A packets sending/receiving apparatus according toclaim 52, wherein the framing means adds a frame header of IEEE 802.3standard to a sending packets produced in the packetization frame.
 81. Apackets sending/receiving apparatus according to claim 52, wherein theframing means adds a frame header of IEEE 802.1Q standard to sendingpackets produced in the packetization frame.
 82. A packetssending/receiving apparatus according to claim 52, wherein thepacketization means converts the encryption sending data to apredetermined size and adds Internet Protocol (IP) header defined asIPv4 or IPv6 in IETF.
 83. A packets sending/receiving apparatusaccording to claim 52, wherein the packetization means adds informationindicating that it is preferred packets to a service type field of IPv4header or a type of service (TOS) field in the service type field.
 84. Apackets sending/receiving apparatus according to claim 52, wherein thepacketization means adds information indicating that it is preferredpackets to a priority field of IPv6 header.
 85. A packetssending/receiving apparatus according to claim 52, wherein theauthentification and key exchange means permits authentification whenlocation information of the packets sending/receiving apparatus, andlocation information of the destination of the sending packets orlocation information of the sending source of the reception packetsmatch predetermined conditions.
 86. A packets sending/receivingapparatus according to claim 85, wherein the sending/receivingmanagement information includes at least one of the location informationof the packets sending/receiving apparatus, and the location informationof the destination of the sending packets or the location information ofthe sending source of the reception packets match predeterminedconditions.
 87. A packets sending/receiving apparatus according to claim86, wherein the location information is information with area specifiedby a region code, address, postal code, or longitude and latitude.
 88. Apackets sending/receiving apparatus according to claim 85, wherein theauthentification and key exchange means includes: storage means fortemporarily storing information regarding the destination of the sendingpackets or sending source of the reception packets when authentificationis performed between the packets sending/receiving apparatus to thedestination of the sending packets or sending source of the receptionpackets; and verifying means for verifying the information stored in thestorage means and the information regarding the destination of thesending packets or the information regarding the sending source of thereception packets when the authentification is not confirmed since thepackets sending/receiving apparatus and the destination of the sendingpackets or sending source of the reception packets do not match thepredetermined conditions, and performing authentification between thepackets sending/receiving apparatus and the destination of the sendingpackets or sending source of the reception packets.
 89. A packetssending/receiving apparatus according to claim 88, the informationregarding the destination of the sending packets or the informationregarding the sending address of the reception packets includes at leastone of a certificate, MAC address and biometric information.
 90. Apackets sending/receiving apparatus according to claim 52, wherein theauthentification and key exchange means performs predefinedauthentification and key exchange and updates the encryption key ordecoding key to a predetermined period.
 91. A packets sending/receivingapparatus according to claim 90, wherein timing information forindicating timing for the authentification and key exchange means toupdate the decoding key is added to the sending packets.
 92. A packetssending/receiving apparatus according to claim 90, wherein the timingfor the authentification and key exchange means to update the decodingkey is changed for every certain amount of data when the sending packetsuse HTTP.
 93. A packets sending/receiving apparatus according to claim90, wherein the timing for the authentification and key exchange meansto update the decoding key is updated within a predetermined period whenthe sending packets use RTP.
 94. A packets sending/receiving apparatusfor sending a sending packets and receiving a reception packets,comprising: authentification and key exchange means for producing anencryption key and a decoding key; encryption means for producing anencryption sending data by encrypting sending data using the encryptionkey; sending condition setting management means for producing sendingcondition setting information for setting sending condition of thesending packets using at least one of sending condition relatedinformation, sending/reception management information, receivingcondition setting information; packetization means for producing thesending packets using the encryption sending data; receiving conditionsetting management means for producing receiving condition settinginformation for setting receiving condition of the reception packetsusing at least one of receiving condition related information andpackets reception information; packets reception means for receiving thereception packets, which extracts reception data included in thereception packets from the reception packets using the receivingcondition setting information and produces the packets receptioninformation from the reception packets, and outputs the packetsreception information to the authentification and key exchange means orthe received condition setting management means; and decoding means fordecoding the reception data using the decoding key, wherein theauthentification and key exchange means permits authentification whenlocation information of the packets sending/receiving apparatus, andlocation information of the destination of the sending packets orlocation information of the sending source of the reception packetsmatch predetermined conditions, and the authentification and keyexchange means permits authentification when a propagation time ofone-way or a round trip from the packets sending/receiving apparatus tothe destination of the sending packets or sending source of thereception packets is shorter than a predetermined limit time between thepackets sending/receiving apparatus and the destination of the sendingpackets or sending source of the reception packets.
 95. A packetssending/receiving apparatus for sending sending packets and receivingreception packets, comprising: authentification and key exchange meansfor producing an encryption key and a decoding key; encryption means forproducing an encryption sending data by encrypting sending data usingthe encryption key; sending condition setting management means forproducing sending condition setting information for setting sendingcondition of the sending packets using at least one of sending conditionrelated information, sending/reception management information, receivingcondition setting information; packetization means for producing thesending packets using the encryption sending data; receiving conditionsetting management means for producing receiving condition settinginformation for setting receiving condition of the reception packetsusing at least one of receiving condition related information andpackets reception information; packets reception means for receiving thereception packets, which extracts reception data included in thereception packets from the reception packets using the receivingcondition setting information and produces the packets receptioninformation from the reception packets, and outputs the packetsreception information to the authentification and key exchange means orthe received condition setting management means; and decoding means fordecoding the reception data using the decoding key, wherein theauthentification and key exchange means permits authentification whenlocation information of the packets sending/receiving apparatus, andlocation information of the destination of the sending packets orlocation information of the sending source of the reception packetsmatch predetermined conditions, and the authentification and keyexchange means permits authentification, in the case where there is awireless transmission zone in a sending/reception zone between thepackets sending/receiving apparatus and the destination of the sendingpackets or sending source of the reception packets, when it is confirmedthat it is in a mode for scrambling and transmitting data in thewireless transmission zone.
 96. A packets sending/receiving apparatusfor sending sending packets and receiving reception packets, comprising:authentification and key exchange means for producing an encryption keyand a decoding key; encryption means for producing an encryption sendingdata by encrypting sending data using the encryption key; sendingcondition setting management means for producing sending conditionsetting information for setting sending condition of the sending packetsusing at least one of sending condition related information,sending/reception management information, receiving condition settinginformation; packetization means for producing the sending packet usingthe encryption sending data; receiving condition setting managementmeans for producing receiving condition setting information for settingreceiving condition of the reception packets using at least one ofreceiving condition related information and packets receptioninformation; packets reception means for receiving the receptionpackets, which extracts reception data included in the reception packetsfrom the reception packets using the receiving condition settinginformation and produces the packets reception information from thereception packets, and outputs the packets reception information to theauthentification and key exchange means or the received conditionsetting management means; and decoding means for decoding the receptiondata using the decoding key, wherein the authentification and keyexchange means performs predefined authentification and key exchange andupdates the encryption key or decoding key in a predetermined period,and the timing for the authentification and key exchange means to updatethe decoding key is notified by changing a TCP port number, or UDP portnumber of the sending packets.
 97. A packets sending/receiving apparatusfor sending sending packets and receiving reception packets, comprising:authentification and key exchange means for producing an encryption keyand a decoding key; encryption means for producing an encryption sendingdata by encrypting sending data using the encryption key; sendingcondition setting management means for producing sending conditionsetting information for setting sending condition of the sending packetsusing at least one of sending condition related information,sending/reception management information, receiving condition settinginformation; packetization means for producing the sending packets usingthe encryption sending data; receiving condition setting managementmeans for producing receiving condition setting information for settingreceiving condition of the reception packets using at least one ofreceiving condition related information and packets receptioninformation; packets reception means for receiving the receptionpackets, which extracts reception data included in the reception packetsfrom the reception packets using the receiving condition settinginformation and produces the packets reception information from thereception packets, and outputs the packets reception information to theauthentification and key exchange means or the received conditionsetting management means; and decoding means for decoding the receptiondata using the decoding key, wherein the authentification and keyexchange means performs predefined authentification and key exchange andupdates the encryption key or decoding key in a predetermined period,and the timing for the authentification and key exchange means to updatethe decoding key is updated for every HTTP request when the sendingpackets use HTTP.
 98. A packets sending/receiving apparatus for sendingsending packets and receiving reception packets, comprising:authentification and key exchange means for producing an encryption keyand a decoding key; encryption means for producing an encryptions endingdata by encrypting sending data using the encryption key; sendingcondition setting management means for producing sending conditionsetting information for setting sending condition of the sending packetsusing at least one of sending condition related information,sending/reception management information, receiving condition settinginformation; packetization means for producing the sending packets usingthe encryption sending data; receiving condition setting managementmeans for producing receiving condition setting information for settingreceiving condition of the reception packets using at least one ofreceiving condition related information and packets receptioninformation; packets reception means for receiving the receptionpackets, which extracts reception data included in the reception packetsfrom the reception packets using the receiving condition settinginformation and produces the packets reception information from thereception packets, and outputs the packets reception information to theauthentification and key exchange means or the received conditionsetting management means; and decoding means for decoding the receptiondata using the decoding key, wherein the authentification and keyexchange means performs predefined authentification and key exchange andupdates the encryption key or decoding key in a predetermined period,and copy control information of DTCP scheme in the authentification andkey exchange means is transmitted by adding encryption mode informationto the reception packets.